I have run Spybot, followed by Spyware Doctor, sytem Security 1.04, and Trojan Hunter. Each have removed some problems but I still have at least one that continues. It reloads itself even after I uncheck it from the startup in system config utility. I cannot delete registry entries without them returning. This is the file name that is showing up on everything c:\windows\system32\vtuurr.dll
The dll file says it is from Real World Graphics and that it is a jpeg photo resizer. My Norton AV keeps telling me that I have a HTTPS Tideserv Request 2 blocked as well as a couple of IP addresses being blocked from intruding.

I have a GMER Scan Log, Hijack This log, Spybot bug report and snapshots of the reports from the various malware removal programs.

If it cannot be fixed, tell me, I just need to know if I am going to have to reformat my pc. Here is the DDs log that I ran just a little while ago.



DDS (Ver_10-03-17.01) - NTFSx86
Run by Owner at 23:13:33.02 on Thu 04/29/2010
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.767.270 [GMT -4:00]

AV: Norton AntiVirus *On-access scanning enabled* (Outdated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\System32\svchost.exe -k NetworkService
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~4\NORTON~2\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\PROGRA~1\NORTON~4\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Windows Media Player\WMPNetwk.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Owner\Desktop\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://my.att.net/
uSearch Page = hxxp://srch-qus10.hpwis.com/
uDefault_Search_URL = hxxp://srch-qus10.hpwis.com/
uSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/sb/*http://www.yahoo.com/search/ie.html
uWindow Title =
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mStart Page = hxxp://qus10.hpwis.com/
mSearch Bar = hxxp://srch-qus10.hpwis.com/
mWindow Title =
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = localhost
uSearchURL,(Default) = hxxp://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/su/*http://www.yahoo.com
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: PCTools Site Guard: {5c8b2a36-3db1-42a4-a3cb-d426709bbfeb} - c:\progra~1\spywar~2\tools\iesdsg.dll
BHO: CNisExtBho Class: {9ecb9560-04f9-4bbc-943d-298ddf1699e1} - c:\program files\common files\symantec shared\adblocking\NISShExt.dll
BHO: CNavExtBho Class: {a8f38d8d-e480-4d52-b7a2-731bb6995fdd} - c:\program files\norton systemworks\norton antivirus\NavShExt.dll
BHO: PCTools Browser Monitor: {b56a7d7d-6927-48c8-a975-17df180c71ac} - c:\progra~1\spywar~2\tools\iesdpb.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - No File
TB: Norton Internet Security: {0b53eac3-8d69-4b9e-9b19-a37c9a5676a7} - c:\program files\common files\symantec shared\adblocking\NISShExt.dll
TB: Norton AntiVirus: {c4069e3a-68f1-403e-b40e-20066696354b} - c:\program files\norton systemworks\norton antivirus\NavShExt.dll
TB: {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {A26503FE-B3B8-4910-A9DC-9CBD25C6B8D6} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [QuickTime Task] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [sstsqpsys] rundll32.exe "vtuurr.dll",DllRegisterServer
mRun: [yabyyxsys] rundll32.exe "vtuurr.dll",DllRegisterServer
mRun: [tuvwvwsys] rundll32.exe "vtuurr.dll",DllRegisterServer
mRun: [opqppmsys] rundll32.exe "vtuurr.dll",DllRegisterServer
mRun: [fcccbcsys] rundll32.exe "vtuurr.dll",DllRegisterServer
mRun: [efdedbsys] rundll32.exe "vtuurr.dll",DllRegisterServer
dRun: [iifghfsys] rundll32.exe "vtuurr.dll",DllRegisterServer
uPolicies-explorer: NoRecentDocsNetHood = 01000000
uPolicies-explorer: NoViewOnDrive = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000
IE: {5E638779-1818-4754-A595-EF1C63B87A56} - c:\program files\norton systemworks\norton cleanup\WCQuick.lnk
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - {A1EDC4A1-940F-48E0-8DFD-E38F1D501021} - c:\progra~1\spywar~2\tools\iesdpb.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: att.net\webauth
Trusted Zone: fortunerep.com\www
Trusted Zone: microsoft.com\*.windowsupdate
Trusted Zone: windowsupdate.com\download
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Authentication Packages = msv1_0 vtuurr.dll
Hosts: 127.0.0.1 www.spywareinfo.com

============= SERVICES / DRIVERS ===============

R1 ikhfile;File Security Kernel Anti-Spyware Driver;c:\windows\system32\drivers\ikhfile.sys [2007-2-24 30592]
R1 ikhlayer;Kernel Anti-Spyware Driver;c:\windows\system32\drivers\ikhlayer.sys [2007-2-24 51072]
R1 SAVRTPEL;SAVRTPEL;c:\program files\norton systemworks\norton antivirus\Savrtpel.sys [2005-8-26 53896]
R2 AdobeActiveFileMonitor7.0;Adobe Active File Monitor V7;c:\program files\adobe\photoshop elements 7.0\PhotoshopElementsFileAgent.exe [2008-9-16 169312]
R2 BCMNTIO;BCMNTIO;c:\progra~1\checkit\diagno~1\BCMNTIO.sys [2005-6-3 3744]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\CCEVTMGR.EXE [2005-9-17 192104]
R2 ccProxy;Symantec Network Proxy;c:\program files\common files\symantec shared\CCPROXY.EXE [2004-8-27 235168]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\CCSETMGR.EXE [2005-9-17 169576]
R2 MAPMEM;MAPMEM;c:\progra~1\checkit\diagno~1\MAPMEM.sys [2005-6-3 3904]
R2 navapsvc;Norton AntiVirus Auto-Protect Service;c:\program files\norton systemworks\norton antivirus\NAVAPSVC.EXE [2005-9-23 139888]
R2 NProtectService;Norton UnErase Protection;c:\progra~1\norton~4\norton~2\NPROTECT.EXE [2005-11-3 95832]
R2 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2005-6-3 1251720]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2008-9-10 99376]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20081220.003\NAVENG.Sys [2008-12-20 89104]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20081220.003\NavEx15.Sys [2008-12-20 876112]
R3 SAVRT;SAVRT;c:\program files\norton systemworks\norton antivirus\savrt.sys [2005-8-26 334984]
S2 mrtRate;mrtRate; [x]
S3 ccPwdSvc;Symantec Password Validation;c:\program files\common files\symantec shared\CCPWDSVC.EXE [2004-8-27 79520]
S3 idrmkl;idrmkl;\??\c:\docume~1\owner\locals~1\temp\idrmkl.sys --> c:\docume~1\owner\locals~1\temp\idrmkl.sys [?]
S3 SAVScan;Symantec AVScan;c:\program files\norton systemworks\norton antivirus\SAVScan.exe [2005-8-26 198368]

=============== Created Last 30 ================

2010-04-26 00:16:42 0 ----a-w- c:\documents and settings\owner\defogger_reenable
2010-04-26 00:04:04 0 d-----w- c:\program files\Cobian Backup 10
2010-04-21 04:37:28 0 d-----w- c:\docume~1\alluse~1\applic~1\TrojanHunter
2010-04-21 04:10:37 0 d-----w- c:\docume~1\owner\applic~1\TrojanHunter
2010-04-21 03:03:35 0 d-----w- c:\program files\TrojanHunter 5.3
2010-04-15 03:42:14 90112 ---ha-w- c:\windows\system32\vtuurr.dll

==================== Find3M ====================

2010-04-15 05:45:15 36352 ----a-w- c:\windows\system32\drivers\disk.sys
2010-03-11 12:38:54 832512 ----a-w- c:\windows\system32\wininet.dll
2010-03-11 12:38:52 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-11 12:38:51 17408 ----a-w- c:\windows\system32\corpol.dll
2010-03-09 11:09:18 430080 ----a-w- c:\windows\system32\vbscript.dll
2010-02-16 13:19:55 2181376 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 12:39:04 2058368 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:36:09 100864 ----a-w- c:\windows\system32\6to4svc.dll
2006-11-21 23:51:54 774144 -c--a-w- c:\program files\RngInterstitial.dll

============= FINISH: 23:14:59.24 ===============

hi wmbeyer,

Your log is a few days old. If you still need help reply to my post.

I still need help. I have been trying to monitor the posts. I am not on the infected computer at this time. I am on my lap top. Please post what ever instuctionsthat you may have. I WILL NOT ABANDON YOUR HELP until you of everyone else says that they cannot help. I will be back from work around 8pm today. And, Thanks

hi,

ok. Lets start with Malwarebytes and go from there. Link and directions:

Please download Malwarebytes (http://www.malwarebytes.org/mbam.php) to your desktop.

Double-click mbam-setup.exe and follow the prompts to install the program.

Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.

If an update is found, it will download and install the latest version.

Once the program has loaded, select Perform FULL SCAN, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.

Be sure that everything is checked, and click *Remove Selected.*

*A restart of your computer may be required to remove some items. If prompted please restart your computer to complete the fix.*

When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
Post the log in your reply.

I downloaded and installed Malwarebytes, and checked the boxes to update and run. It never started. As soon as I tried to run it I got a notice of an attempted intrusion from Norton AV. I tried several times to launch it. No luck. I uninstalled it and re-installed it, again the attempted hack and no start of Malwarebytes. Here are the logs from Intrusion detection and content blocking. I down loaded the setup file. Do you want me to uninstall it, and re-install it in safe mode? What now?


Category: Intrusion Detection
Date,User,Message,Details
5/1/2010 11:39:04 PM,Supervisor,Intrusion: HTTPS Tidserv Request 2.,"Intrusion: HTTPS Tidserv Request 2. Intruder: 91.212.226.59(https(443)). Risk Level: High. Protocol: TCP. Attacked IP: BILLSR(192.168.0.100). Attacked Port: 1069."
5/1/2010 11:39:04 PM,Supervisor,Intrusion detected and blocked. All communication with 91.212.226.59 will be blocked for 30 minutes.,Intrusion detected and blocked. All communication with 91.212.226.59 will be blocked for 30 minutes.
5/1/2010 11:33:45 PM,No User,Intrusion Detection is monitoring 1300 signatures.,Intrusion Detection is monitoring 1300 signatures.
5/1/2010 11:33:45 PM,No User,Intrusion Detection has been enabled.,Intrusion Detection has been enabled.
5/1/2010 11:33:45 PM,No User,Intrusion Detection Signature File Version: 20100421.001. Intrusion Detection Engine Version: 4.5.0.67.,Intrusion Detection Signature File Version: 20100421.001. Intrusion Detection Engine Version: 4.5.0.67.
5/1/2010 11:24:18 PM,Supervisor,Intrusion: HTTP Tidserv Request.,"Intrusion: HTTP Tidserv Request. Intruder: 85.12.46.159(http(80)). Risk Level: High. Protocol: TCP. Attacked IP: localhost. Attacked Port: 1869."
5/1/2010 11:24:18 PM,Supervisor,Intrusion detected and blocked. All communication with 85.12.46.159 will be blocked for 30 minutes.,Intrusion detected and blocked. All communication with 85.12.46.159 will be blocked for 30 minutes.
5/1/2010 11:16:17 PM,Supervisor,Intrusion detected and blocked. All communication with 85.12.46.158 will be blocked for 30 minutes.,Intrusion detected and blocked. All communication with 85.12.46.158 will be blocked for 30 minutes.
5/1/2010 11:16:17 PM,Supervisor,Intrusion: HTTP Tidserv Request.,"Intrusion: HTTP Tidserv Request. Intruder: 85.12.46.158(http(80)). Risk Level: High. Protocol: TCP. Attacked IP: localhost. Attacked Port: 1265."
5/1/2010 12:02:38 PM,No User,Intrusion Detection is monitoring 1300 signatures.,Intrusion Detection is monitoring 1300 signatures.
5/1/2010 12:02:38 PM,No User,Intrusion Detection has been enabled.,Intrusion Detection has been enabled.
5/1/2010 12:02:38 PM,No User,Intrusion Detection Signature File Version: 20100421.001. Intrusion Detection Engine Version: 4.5.0.67.,Intrusion Detection Signature File Version: 20100421.001. Intrusion Detection Engine Version: 4.5.0.67.
4/30/2010 11:14:46 AM,Supervisor,Intrusion: HTTP Tidserv Request.,"Intrusion: HTTP Tidserv Request. Intruder: 85.12.46.158(http(80)). Risk Level: High. Protocol: TCP. Attacked IP: localhost. Attacked Port: 4879."
4/30/2010 11:14:46 AM,Supervisor,Intrusion detected and blocked. All communication with 85.12.46.158 will be blocked for 30 minutes.,Intrusion detected and blocked. All communication with 85.12.46.158 will be blocked for 30 minutes.
4/30/2010 12:40:50 AM,Supervisor,Intrusion: HTTPS Tidserv Request 2.,"Intrusion: HTTPS Tidserv Request 2. Intruder: 91.212.226.67(https(443)). Risk Level: High. Protocol: TCP. Attacked IP: BILLSR(192.168.0.100). Attacked Port: 4330."
4/30/2010 12:40:50 AM,Supervisor,Intrusion detected and blocked. All communication with 91.212.226.67 will be blocked for 30 minutes.,Intrusion detected and blocked. All communication with 91.212.226.67 will be blocked for 30 minutes.
4/30/2010 12:10:49 AM,Supervisor,Intrusion detected and blocked. All communication with 91.212.226.59 will be blocked for 30 minutes.,Intrusion detected and blocked. All communication with 91.212.226.59 will be blocked for 30 minutes.
4/30/2010 12:10:49 AM,Supervisor,Intrusion: HTTPS Tidserv Request 2.,"Intrusion: HTTPS Tidserv Request 2. Intruder: 91.212.226.59(https(443)). Risk Level: High. Protocol: TCP. Attacked IP: BILLSR(192.168.0.100). Attacked Port: 4080."
4/29/2010 10:12:54 PM,Supervisor,Intrusion: Portscan.,"Intrusion: Portscan. Intruder: 78.138.151.126(10527). Risk Level: Medium. Protocol: TCP. Attacked IP: BILLSR(192.168.0.100). Attacked Port: 9090."
4/29/2010 10:12:54 PM,Supervisor,Intrusion detected and blocked. All communication with 78.138.151.126 will be blocked for 30 minutes.,Intrusion detected and blocked. All communication with 78.138.151.126 will be blocked for 30 minutes.
4/29/2010 12:56:07 PM,Supervisor,Intrusion Detection is monitoring 1300 signatures.,Intrusion Detection is monitoring 1300 signatures.
4/29/2010 12:56:07 PM,Supervisor,Intrusion Detection has been enabled.,Intrusion Detection has been enabled.
4/29/2010 12:56:07 PM,Supervisor,Intrusion Detection Signature File Version: 20100421.001. Intrusion Detection Engine Version: 4.5.0.67.,Intrusion Detection Signature File Version: 20100421.001. Intrusion Detection Engine Version: 4.5.0.67.
4/29/2010 12:51:48 PM,Supervisor,Intrusion detected and blocked. All communication with 85.12.46.158 will be blocked for 30 minutes.,Intrusion detected and blocked. All communication with 85.12.46.158 will be blocked for 30 minutes.
4/29/2010 12:51:48 PM,Supervisor,Intrusion: HTTP Tidserv Request.,"Intrusion: HTTP Tidserv Request. Intruder: 85.12.46.158(http(80)). Risk Level: High. Protocol: TCP. Attacked IP: localhost. Attacked Port: 1128."
4/27/2010 10:05:29 PM,No User,Intrusion Detection is monitoring 1302 signatures.,Intrusion Detection is monitoring 1302 signatures.
4/27/2010 10:05:29 PM,No User,Intrusion Detection has been enabled.,Intrusion Detection has been enabled.
4/27/2010 10:05:29 PM,No User,Intrusion Detection Signature File Version: 20100415.001. Intrusion Detection Engine Version: 4.5.0.67.,Intrusion Detection Signature File Version: 20100415.001. Intrusion Detection Engine Version: 4.5.0.67.
4/27/2010 9:59:50 PM,No User,Intrusion Detection is monitoring 1302 signatures.,Intrusion Detection is monitoring 1302 signatures.
4/27/2010 9:59:50 PM,No User,Intrusion Detection has been enabled.,Intrusion Detection has been enabled.
4/27/2010 9:59:50 PM,No User,Intrusion Detection Signature File Version: 20100415.001. Intrusion Detection Engine Version: 4.5.0.67.,Intrusion Detection Signature File Version: 20100415.001. Intrusion Detection Engine Version: 4.5.0.67.
4/26/2010 11:32:47 AM,No User,Intrusion Detection is monitoring 1302 signatures.,Intrusion Detection is monitoring 1302 signatures.
4/26/2010 11:32:47 AM,No User,Intrusion Detection has been enabled.,Intrusion Detection has been enabled.
4/26/2010 11:32:47 AM,No User,Intrusion Detection Signature File Version: 20100415.001. Intrusion Detection Engine Version: 4.5.0.67.,Intrusion Detection Signature File Version: 20100415.001. Intrusion Detection Engine Version: 4.5.0.67.
4/26/2010 11:26:56 AM,No User,Intrusion Detection is monitoring 1302 signatures.,Intrusion Detection is monitoring 1302 signatures.
4/26/2010 11:26:56 AM,No User,Intrusion Detection has been enabled.,Intrusion Detection has been enabled.
4/26/2010 11:26:56 AM,No User,Intrusion Detection Signature File Version: 20100415.001. Intrusion Detection Engine Version: 4.5.0.67.,Intrusion Detection Signature File Version: 20100415.001. Intrusion Detection Engine Version: 4.5.0.67.
4/25/2010 10:39:18 PM,No User,Intrusion Detection is monitoring 1302 signatures.,Intrusion Detection is monitoring 1302 signatures.
4/25/2010 10:39:18 PM,No User,Intrusion Detection has been enabled.,Intrusion Detection has been enabled.
4/25/2010 10:39:18 PM,No User,Intrusion Detection Signature File Version: 20100415.001. Intrusion Detection Engine Version: 4.5.0.67.,Intrusion Detection Signature File Version: 20100415.001. Intrusion Detection Engine Version: 4.5.0.67.
4/21/2010 12:42:28 PM,Supervisor,Intrusion detected and blocked. All communication with 202.157.171.207 will be blocked for 30 minutes.,Intrusion detected and blocked. All communication with 202.157.171.207 will be blocked for 30 minutes.
4/21/2010 12:42:28 PM,Supervisor,Intrusion: HTTPS Tidserv Request 2.,"Intrusion: HTTPS Tidserv Request 2. Intruder: 202.157.171.207(https(443)). Risk Level: High. Protocol: TCP. Attacked IP: BILLSR(192.168.0.100). Attacked Port: 3124."
4/21/2010 12:12:27 PM,Supervisor,Intrusion: HTTPS Tidserv Request 2.,"Intrusion: HTTPS Tidserv Request 2. Intruder: 91.212.226.67(https(443)). Risk Level: High. Protocol: TCP. Attacked IP: BILLSR(192.168.0.100). Attacked Port: 2959."
4/21/2010 12:12:27 PM,Supervisor,Intrusion detected and blocked. All communication with 91.212.226.67 will be blocked for 30 minutes.,Intrusion detected and blocked. All communication with 91.212.226.67 will be blocked for 30 minutes.
4/21/2010 11:44:54 AM,Supervisor,Intrusion detected and blocked. All communication with 91.212.226.130 will be blocked for 30 minutes.,Intrusion detected and blocked. All communication with 91.212.226.130 will be blocked for 30 minutes.
4/21/2010 11:44:54 AM,Supervisor,Intrusion: HTTP Tidserv Request.,"Intrusion: HTTP Tidserv Request. Intruder: 91.212.226.130(http(80)). Risk Level: High. Protocol: TCP. Attacked IP: localhost. Attacked Port: 1790."
4/21/2010 11:42:26 AM,Supervisor,Intrusion: HTTPS Tidserv Request 2.,"Intrusion: HTTPS Tidserv Request 2. Intruder: 91.212.226.59(https(443)). Risk Level: High. Protocol: TCP. Attacked IP: BILLSR(192.168.0.100). Attacked Port: 1669."
4/21/2010 11:42:26 AM,Supervisor,Intrusion detected and blocked. All communication with 91.212.226.59 will be blocked for 30 minutes.,Intrusion detected and blocked. All communication with 91.212.226.59 will be blocked for 30 minutes.
4/21/2010 1:37:06 AM,No User,Intrusion Detection is monitoring 1302 signatures.,Intrusion Detection is monitoring 1302 signatures.
4/21/2010 1:37:06 AM,No User,Intrusion Detection Signature File Version: 20100415.001. Intrusion Detection Engine Version: 4.5.0.67.,Intrusion Detection Signature File Version: 20100415.001. Intrusion Detection Engine Version: 4.5.0.67.
4/21/2010 1:37:06 AM,No User,Intrusion Detection has been enabled.,Intrusion Detection has been enabled.
4/21/2010 12:46:14 AM,Supervisor,Intrusion: HTTPS Tidserv Request 2.,"Intrusion: HTTPS Tidserv Request 2. Intruder: 91.212.226.59(https(443)). Risk Level: High. Protocol: TCP. Attacked IP: BILLSR(192.168.0.100). Attacked Port: 1066."
4/21/2010 12:46:14 AM,Supervisor,Intrusion detected and blocked. All communication with 91.212.226.59 will be blocked for 30 minutes.,Intrusion detected and blocked. All communication with 91.212.226.59 will be blocked for 30 minutes.
4/21/2010 12:40:57 AM,No User,Intrusion Detection is monitoring 1302 signatures.,Intrusion Detection is monitoring 1302 signatures.
4/21/2010 12:40:57 AM,No User,Intrusion Detection has been enabled.,Intrusion Detection has been enabled.
4/21/2010 12:40:57 AM,No User,Intrusion Detection Signature File Version: 20100415.001. Intrusion Detection Engine Version: 4.5.0.67.,Intrusion Detection Signature File Version: 20100415.001. Intrusion Detection Engine Version: 4.5.0.67.
4/21/2010 12:34:51 AM,Supervisor,Intrusion: HTTPS Tidserv Request 2.,"Intrusion: HTTPS Tidserv Request 2. Intruder: 91.212.226.59(https(443)). Risk Level: High. Protocol: TCP. Attacked IP: BILLSR(192.168.0.100). Attacked Port: 1337."
4/21/2010 12:34:51 AM,Supervisor,Intrusion detected and blocked. All communication with 91.212.226.59 will be blocked for 30 minutes.,Intrusion detected and blocked. All communication with 91.212.226.59 will be blocked for 30 minutes.
4/21/2010 12:29:21 AM,No User,Intrusion Detection is monitoring 1302 signatures.,Intrusion Detection is monitoring 1302 signatures.
4/21/2010 12:29:21 AM,No User,Intrusion Detection Signature File Version: 20100415.001. Intrusion Detection Engine Version: 4.5.0.67.,Intrusion Detection Signature File Version: 20100415.001. Intrusion Detection Engine Version: 4.5.0.67.
4/21/2010 12:29:21 AM,No User,Intrusion Detection has been enabled.,Intrusion Detection has been enabled.
4/21/2010 12:19:42 AM,No User,Intrusion Detection is monitoring 1302 signatures.,Intrusion Detection is monitoring 1302 signatures.
4/21/2010 12:19:42 AM,No User,Intrusion Detection has been enabled.,Intrusion Detection has been enabled.
4/21/2010 12:19:42 AM,No User,Intrusion Detection Signature File Version: 20100415.001. Intrusion Detection Engine Version: 4.5.0.67.,Intrusion Detection Signature File Version: 20100415.001. Intrusion Detection Engine Version: 4.5.0.67.
4/21/2010 12:15:16 AM,No User,Intrusion Detection is monitoring 1302 signatures.,Intrusion Detection is monitoring 1302 signatures.
4/21/2010 12:15:16 AM,No User,Intrusion Detection has been enabled.,Intrusion Detection has been enabled.
4/21/2010 12:15:16 AM,No User,Intrusion Detection Signature File Version: 20100415.001. Intrusion Detection Engine Version: 4.5.0.67.,Intrusion Detection Signature File Version: 20100415.001. Intrusion Detection Engine Version: 4.5.0.67.
4/21/2010 12:13:32 AM,No User,Intrusion Detection is monitoring 1302 signatures.,Intrusion Detection is monitoring 1302 signatures.
4/21/2010 12:13:32 AM,No User,Intrusion Detection has been enabled.,Intrusion Detection has been enabled.
4/21/2010 12:13:32 AM,No User,Intrusion Detection Signature File Version: 20100415.001. Intrusion Detection Engine Version: 4.5.0.67.,Intrusion Detection Signature File Version: 20100415.001. Intrusion Detection Engine Version: 4.5.0.67.
4/20/2010 11:33:12 PM,Supervisor,Intrusion detected and blocked. All communication with 202.157.171.207 will be blocked for 30 minutes.,Intrusion detected and blocked. All communication with 202.157.171.207 will be blocked for 30 minutes.
4/20/2010 11:33:12 PM,Supervisor,Intrusion: HTTPS Tidserv Request 2.,"Intrusion: HTTPS Tidserv Request 2. Intruder: 202.157.171.207(https(443)). Risk Level: High. Protocol: TCP. Attacked IP: BILLSR(192.168.0.100). Attacked Port: 1920."
4/20/2010 11:03:11 PM,Supervisor,Intrusion detected and blocked. All communication with 91.212.226.67 will be blocked for 30 minutes.,Intrusion detected and blocked. All communication with 91.212.226.67 will be blocked for 30 minutes.
4/20/2010 11:03:11 PM,Supervisor,Intrusion: HTTPS Tidserv Request 2.,"Intrusion: HTTPS Tidserv Request 2. Intruder: 91.212.226.67(https(443)). Risk Level: High. Protocol: TCP. Attacked IP: BILLSR(192.168.0.100). Attacked Port: 1254."
4/20/2010 7:57:52 PM,No User,Intrusion Detection is monitoring 1302 signatures.,Intrusion Detection is monitoring 1302 signatures.
4/20/2010 7:57:52 PM,No User,Intrusion Detection has been enabled.,Intrusion Detection has been enabled.
4/20/2010 7:57:52 PM,No User,Intrusion Detection Signature File Version: 20100415.001. Intrusion Detection Engine Version: 4.5.0.67.,Intrusion Detection Signature File Version: 20100415.001. Intrusion Detection Engine Version: 4.5.0.67.
4/19/2010 9:18:36 PM,No User,Intrusion Detection is monitoring 1302 signatures.,Intrusion Detection is monitoring 1302 signatures.
4/19/2010 9:18:36 PM,No User,Intrusion Detection Signature File Version: 20100415.001. Intrusion Detection Engine Version: 4.5.0.67.,Intrusion Detection Signature File Version: 20100415.001. Intrusion Detection Engine Version: 4.5.0.67.
4/19/2010 9:18:36 PM,No User,Intrusion Detection has been enabled.,Intrusion Detection has been enabled.
4/17/2010 11:33:16 PM,No User,Intrusion Detection is monitoring 1302 signatures.,Intrusion Detection is monitoring 1302 signatures.
4/17/2010 11:33:16 PM,No User,Intrusion Detection Signature File Version: 20100415.001. Intrusion Detection Engine Version: 4.5.0.67.,Intrusion Detection Signature File Version: 20100415.001. Intrusion Detection Engine Version: 4.5.0.67.
4/17/2010 11:33:16 PM,No User,Intrusion Detection has been enabled.,Intrusion Detection has been enabled.
4/17/2010 11:28:39 PM,No User,Intrusion: HTTPS Tidserv Request 2.,"Intrusion: HTTPS Tidserv Request 2. Intruder: 202.157.171.207(https(443)). Risk Level: High. Protocol: TCP. Attacked IP: BILLSR(192.168.0.100). Attacked Port: 1569."
4/17/2010 11:28:39 PM,No User,Intrusion detected and blocked. All communication with 202.157.171.207 will be blocked for 30 minutes.,Intrusion detected and blocked. All communication with 202.157.171.207 will be blocked for 30 minutes.
4/17/2010 10:58:38 PM,No User,Intrusion: HTTPS Tidserv Request 2.,"Intrusion: HTTPS Tidserv Request 2. Intruder: 91.212.226.67(https(443)). Risk Level: High. Protocol: TCP. Attacked IP: BILLSR(192.168.0.100). Attacked Port: 1470."
4/17/2010 10:58:38 PM,No User,Intrusion detected and blocked. All communication with 91.212.226.67 will be blocked for 30 minutes.,Intrusion detected and blocked. All communication with 91.212.226.67 will be blocked for 30 minutes.
4/17/2010 10:45:57 PM,No User,Intrusion Detection is monitoring 1302 signatures.,Intrusion Detection is monitoring 1302 signatures.
4/17/2010 10:45:57 PM,No User,Intrusion Detection has been enabled.,Intrusion Detection has been enabled.
4/17/2010 10:45:57 PM,No User,Intrusion Detection Signature File Version: 20100415.001. Intrusion Detection Engine Version: 4.5.0.67.,Intrusion Detection Signature File Version: 20100415.001. Intrusion Detection Engine Version: 4.5.0.67.
4/18/2010 1:23:08 AM,No User,Intrusion Detection is monitoring 1303 signatures.,Intrusion Detection is monitoring 1303 signatures.
4/18/2010 1:23:08 AM,No User,Intrusion Detection has been enabled.,Intrusion Detection has been enabled.
4/18/2010 1:23:08 AM,No User,Intrusion Detection Signature File Version: 20100409.001. Intrusion Detection Engine Version: 4.5.0.67.,Intrusion Detection Signature File Version: 20100409.001. Intrusion Detection Engine Version: 4.5.0.67.
4/15/2010 5:05:40 AM,No User,Intrusion Detection is monitoring 1303 signatures.,Intrusion Detection is monitoring 1303 signatures.
4/15/2010 5:05:40 AM,No User,Intrusion Detection has been enabled.,Intrusion Detection has been enabled.
4/15/2010 5:05:40 AM,No User,Intrusion Detection Signature File Version: 20100409.001. Intrusion Detection Engine Version: 4.5.0.67.,Intrusion Detection Signature File Version: 20100409.001. Intrusion Detection Engine Version: 4.5.0.67.
4/15/2010 2:01:40 AM,No User,Intrusion Detection is monitoring 1303 signatures.,Intrusion Detection is monitoring 1303 signatures.
4/15/2010 2:01:40 AM,No User,Intrusion Detection Signature File Version: 20100409.001. Intrusion Detection Engine Version: 4.5.0.67.,Intrusion Detection Signature File Version: 20100409.001. Intrusion Detection Engine Version: 4.5.0.67.
4/15/2010 2:01:40 AM,No User,Intrusion Detection has been enabled.,Intrusion Detection has been enabled.
4/15/2010 1:53:39 AM,No User,Intrusion Detection is monitoring 1303 signatures.,Intrusion Detection is monitoring 1303 signatures.
4/15/2010 1:53:39 AM,No User,Intrusion Detection Signature File Version: 20100409.001. Intrusion Detection Engine Version: 4.5.0.67.,Intrusion Detection Signature File Version: 20100409.001. Intrusion Detection Engine Version: 4.5.0.67.
4/15/2010 1:53:39 AM,No User,Intrusion Detection has been enabled.,Intrusion Detection has been enabled.
4/15/2010 1:29:05 AM,Supervisor,Intrusion detected and blocked. All communication with 91.212.226.130 will be blocked for 30 minutes.,Intrusion detected and blocked. All communication with 91.212.226.130 will be blocked for 30 minutes.
4/15/2010 1:29:05 AM,Supervisor,Intrusion: HTTP Tidserv Request.,"Intrusion: HTTP Tidserv Request. Intruder: 91.212.226.130(http(80)). Risk Level: High. Protocol: TCP. Attacked IP: localhost. Attacked Port: 1903."
4/15/2010 1:14:57 AM,Supervisor,Intrusion: HTTPS Tidserv Request 2.,"Intrusion: HTTPS Tidserv Request 2. Intruder: 91.212.226.67(https(443)). Risk Level: High. Protocol: TCP. Attacked IP: BILLSR(192.168.0.100). Attacked Port: 1568."
4/15/2010 1:14:57 AM,Supervisor,Intrusion detected and blocked. All communication with 91.212.226.67 will be blocked for 30 minutes.,Intrusion detected and blocked. All communication with 91.212.226.67 will be blocked for 30 minutes.
4/15/2010 12:52:25 AM,Supervisor,Intrusion detected and blocked. All communication with 91.212.226.130 will be blocked for 30 minutes.,Intrusion detected and blocked. All communication with 91.212.226.130 will be blocked for 30 minutes.
4/15/2010 12:52:25 AM,Supervisor,Intrusion: HTTP Tidserv Request.,"Intrusion: HTTP Tidserv Request. Intruder: 91.212.226.130(http(80)). Risk Level: High. Protocol: TCP. Attacked IP: localhost. Attacked Port: 1288."
4/15/2010 12:44:56 AM,Supervisor,Intrusion detected and blocked. All communication with 91.212.226.59 will be blocked for 30 minutes.,Intrusion detected and blocked. All communication with 91.212.226.59 will be blocked for 30 minutes.
4/15/2010 12:44:56 AM,Supervisor,Intrusion: HTTPS Tidserv Request 2.,"Intrusion: HTTPS Tidserv Request 2. Intruder: 91.212.226.59(https(443)). Risk Level: High. Protocol: TCP. Attacked IP: BILLSR(192.168.0.100). Attacked Port: 1082."
4/15/2010 12:39:39 AM,No User,Intrusion Detection is monitoring 1303 signatures.,Intrusion Detection is monitoring 1303 signatures.
4/15/2010 12:39:39 AM,No User,Intrusion Detection Signature File Version: 20100409.001. Intrusion Detection Engine Version: 4.5.0.67.,Intrusion Detection Signature File Version: 20100409.001. Intrusion Detection Engine Version: 4.5.0.67.
4/15/2010 12:39:39 AM,No User,Intrusion Detection has been enabled.,Intrusion Detection has been enabled.
4/15/2010 12:25:33 AM,Supervisor,Intrusion: HTTPS Tidserv Request 2.,"Intrusion: HTTPS Tidserv Request 2. Intruder: 91.212.226.67(https(443)). Risk Level: High. Protocol: TCP. Attacked IP: BILLSR(192.168.0.100). Attacked Port: 1303."
4/15/2010 12:25:33 AM,Supervisor,Intrusion detected and blocked. All communication with 91.212.226.67 will be blocked for 30 minutes.,Intrusion detected and blocked. All communication with 91.212.226.67 will be blocked for 30 minutes.
4/14/2010 11:55:31 PM,Supervisor,Intrusion: HTTPS Tidserv Request 2.,"Intrusion: HTTPS Tidserv Request 2. Intruder: 91.212.226.59(https(443)). Risk Level: High. Protocol: TCP. Attacked IP: BILLSR(192.168.0.100). Attacked Port: 1075."
4/14/2010 11:55:31 PM,Supervisor,Intrusion detected and blocked. All communication with 91.212.226.59 will be blocked for 30 minutes.,Intrusion detected and blocked. All communication with 91.212.226.59 will be blocked for 30 minutes.
4/14/2010 11:50:14 PM,No User,Intrusion Detection is monitoring 1303 signatures.,Intrusion Detection is monitoring 1303 signatures.
4/14/2010 11:50:14 PM,No User,Intrusion Detection has been enabled.,Intrusion Detection has been enabled.
4/14/2010 11:50:14 PM,No User,Intrusion Detection Signature File Version: 20100409.001. Intrusion Detection Engine Version: 4.5.0.67.,Intrusion Detection Signature File Version: 20100409.001. Intrusion Detection Engine Version: 4.5.0.67.
4/14/2010 11:45:17 PM,No User,Intrusion Detection is monitoring 1303 signatures.,Intrusion Detection is monitoring 1303 signatures.
4/14/2010 11:45:17 PM,No User,Intrusion Detection has been enabled.,Intrusion Detection has been enabled.
4/14/2010 11:45:17 PM,No User,Intrusion Detection Signature File Version: 20100409.001. Intrusion Detection Engine Version: 4.5.0.67.,Intrusion Detection Signature File Version: 20100409.001. Intrusion Detection Engine Version: 4.5.0.67.
4/14/2010 9:09:01 AM,No User,Intrusion Detection is monitoring 1303 signatures.,Intrusion Detection is monitoring 1303 signatures.
4/14/2010 9:09:01 AM,No User,Intrusion Detection Signature File Version: 20100409.001. Intrusion Detection Engine Version: 4.5.0.67.,Intrusion Detection Signature File Version: 20100409.001. Intrusion Detection Engine Version: 4.5.0.67.

Category: Content Blocking
Date Time,User,Feature,URL,Details
5/1/2010 11:40:14 PM,Supervisor,ActiveX,http://www.chinaontv.com/videos/5894.php,"Content Blocked: Date Time: 5/1/2010 11:40:14 PM User: Supervisor Action: Blocked Type: ActiveX URL: http://www.chinaontv.com/videos/5894.php Data: (ActiveX) "
5/1/2010 11:19:25 PM,Supervisor,ActiveX,http://www.chinaontv.com/cartoon/videos_view_193.php,"Content Blocked: Date Time: 5/1/2010 11:19:25 PM User: Supervisor Action: Blocked Type: ActiveX URL: http://www.chinaontv.com/cartoon/videos_view_193.php Data: (ActiveX) "
4/30/2010 11:35:06 AM,Supervisor,ActiveX,http://www.bunnytube.net/539187/Undercovers-Fun-by-stikcumtheatre2-free,"Content Blocked: Date Time: 4/30/2010 11:35:06 AM User: Supervisor Action: Blocked Type: ActiveX URL: http://www.bunnytube.net/539187/Undercovers-Fun-by-stikcumtheatre2-free Data: (ActiveX) "
4/30/2010 11:15:19 AM,Supervisor,ActiveX,http://server2.mediajmp.com/surveys/cpv-index.html?sub=m5prod.net,"Content Blocked: Date Time: 4/30/2010 11:15:19 AM User: Supervisor Action: Blocked Type: ActiveX URL: http://server2.mediajmp.com/surveys/cpv-index.html?sub=m5prod.net Data: (ActiveX) "
4/30/2010 12:51:10 AM,Supervisor,ActiveX,http://www.flvs.net/parents/Pages/default.aspx,"Content Blocked: Date Time: 4/30/2010 12:51:10 AM User: Supervisor Action: Blocked Type: ActiveX URL: http://www.flvs.net/parents/Pages/default.aspx Data: (ActiveX) "
4/30/2010 12:50:46 AM,Supervisor,ActiveX,http://www.flvs.net/Pages/default.aspx,"Content Blocked: Date Time: 4/30/2010 12:50:46 AM User: Supervisor Action: Blocked Type: ActiveX URL: http://www.flvs.net/Pages/default.aspx Data: (ActiveX) "
4/30/2010 12:50:46 AM,Supervisor,ActiveX,http://www.flvs.net/Pages/default.aspx,"Content Blocked: Date Time: 4/30/2010 12:50:46 AM User: Supervisor Action: Blocked Type: ActiveX URL: http://www.flvs.net/Pages/default.aspx Data: (ActiveX) "
4/22/2010 9:32:16 PM,Supervisor,ActiveX,http://www.onlyspecialoffers.info/submit/?t202id=3475&t202kw=http://ad.doubleclick.net/adi/n3285.casalemedia/b2343920.323;sz=300x250;click0=http://c.casalemedia.com/c/4/1/79693/;ord=1138867922&source=245-0,"Content Blocked: Date Time: 4/22/2010 9:32:16 PM User: Supervisor Action: Blocked Type: ActiveX URL: http://www.onlyspecialoffers.info/submit/?t202id=3475&t202kw=http://ad.doubleclick.net/adi/n3285.casalemedia/b2343920.323;sz=300x250;click0=http://c.casalemedia.com/c/4/1/79693/;ord=1138867922&source=245-0 Data: (ActiveX) "
4/21/2010 1:04:20 PM,Supervisor,ActiveX,http://features.yp.com/launch?from=LN_YP_header_splash,"Content Blocked: Date Time: 4/21/2010 1:04:20 PM User: Supervisor Action: Blocked Type: ActiveX URL: http://features.yp.com/launch?from=LN_YP_header_splash Data: (ActiveX) "
4/21/2010 10:59:46 AM,Supervisor,ActiveX,http://lc1.mycraigslistbusiness.com/AutoPopTemplates/PlainWhite.png,"Content Blocked: Date Time: 4/21/2010 10:59:46 AM User: Supervisor Action: Blocked Type: ActiveX URL: http://lc1.mycraigslistbusiness.com/AutoPopTemplates/PlainWhite.png Data: (ActiveX) "
4/21/2010 12:38:33 AM,Supervisor,ActiveX,http://www.chinaontv.com/travel.php,"Content Blocked: Date Time: 4/21/2010 12:38:33 AM User: Supervisor Action: Blocked Type: ActiveX URL: http://www.chinaontv.com/travel.php Data: (ActiveX) "
4/21/2010 12:38:13 AM,Supervisor,ActiveX,http://www.chinaontv.com/learning.php,"Content Blocked: Date Time: 4/21/2010 12:38:13 AM User: Supervisor Action: Blocked Type: ActiveX URL: http://www.chinaontv.com/learning.php Data: (ActiveX) "
4/21/2010 12:37:37 AM,Supervisor,ActiveX,http://www.chinaontv.com/videos/6564.php,"Content Blocked: Date Time: 4/21/2010 12:37:37 AM User: Supervisor Action: Blocked Type: ActiveX URL: http://www.chinaontv.com/videos/6564.php Data: (ActiveX) "
4/21/2010 12:37:24 AM,Supervisor,ActiveX,http://www.chinaontv.com/business.php,"Content Blocked: Date Time: 4/21/2010 12:37:24 AM User: Supervisor Action: Blocked Type: ActiveX URL: http://www.chinaontv.com/business.php Data: (ActiveX) "
4/21/2010 12:36:26 AM,Supervisor,ActiveX,http://www.chinaontv.com/learning.php,"Content Blocked: Date Time: 4/21/2010 12:36:26 AM User: Supervisor Action: Blocked Type: ActiveX URL: http://www.chinaontv.com/learning.php Data: (ActiveX) "
4/21/2010 12:35:47 AM,Supervisor,ActiveX,http://www.chinaontv.com/cartoon/videos_view_193.php,"Content Blocked: Date Time: 4/21/2010 12:35:47 AM User: Supervisor Action: Blocked Type: ActiveX URL: http://www.chinaontv.com/cartoon/videos_view_193.php Data: (ActiveX) "
4/21/2010 12:04:43 AM,Supervisor,ActiveX,http://server2.mediajmp.com/surveys/cpv-index.html?sub=ubid.com,"Content Blocked: Date Time: 4/21/2010 12:04:43 AM User: Supervisor Action: Blocked Type: ActiveX URL: http://server2.mediajmp.com/surveys/cpv-index.html?sub=ubid.com Data: (ActiveX) "
4/20/2010 11:18:41 PM,Supervisor,ActiveX,http://www.chinaontv.com/cartoon/videos_view_193.php,"Content Blocked: Date Time: 4/20/2010 11:18:41 PM User: Supervisor Action: Blocked Type: ActiveX URL: http://www.chinaontv.com/cartoon/videos_view_193.php Data: (ActiveX) "
4/15/2010 1:43:13 AM,Supervisor,ActiveX,http://www.roxwel.com/d45/flashbox.php?pageID=&state=vidflip&source=player&vidcount=1&filename=cluetokalotheinfiniteorphan&playlistMode=ondemand,"Content Blocked: Date Time: 4/15/2010 1:43:13 AM User: Supervisor Action: Blocked Type: ActiveX URL: http://www.roxwel.com/d45/flashbox.php?pageID=&state=vidflip&source=player&vidcount=1&filename=cluetokalotheinfiniteorphan&playlistMode=ondemand Data: (ActiveX) "
4/15/2010 1:21:27 AM,Supervisor,ActiveX,http://world.chinaontv.com/videos/5792.php,"Content Blocked: Date Time: 4/15/2010 1:21:27 AM User: Supervisor Action: Blocked Type: ActiveX URL: http://world.chinaontv.com/videos/5792.php Data: (ActiveX) "
4/15/2010 12:47:03 AM,Supervisor,ActiveX,http://server2.mediajmp.com/surveys/cpv-index.html?sub=m5prod.net,"Content Blocked: Date Time: 4/15/2010 12:47:03 AM User: Supervisor Action: Blocked Type: ActiveX URL: http://server2.mediajmp.com/surveys/cpv-index.html?sub=m5prod.net Data: (ActiveX) "
4/15/2010 12:36:05 AM,Supervisor,ActiveX,http://world.chinaontv.com/learning.php,"Content Blocked: Date Time: 4/15/2010 12:36:05 AM User: Supervisor Action: Blocked Type: ActiveX URL: http://world.chinaontv.com/learning.php Data: (ActiveX) "
4/15/2010 12:35:51 AM,Supervisor,ActiveX,http://world.chinaontv.com/cartoon/videos_view_193.php,"Content Blocked: Date Time: 4/15/2010 12:35:51 AM User: Supervisor Action: Blocked Type: ActiveX URL: http://world.chinaontv.com/cartoon/videos_view_193.php Data: (ActiveX) "
4/15/2010 12:35:25 AM,Supervisor,ActiveX,http://world.chinaontv.com/index.php,"Content Blocked: Date Time: 4/15/2010 12:35:25 AM User: Supervisor Action: Blocked Type: ActiveX URL: http://world.chinaontv.com/index.php Data: (ActiveX) "
4/15/2010 12:34:09 AM,Supervisor,ActiveX,http://world.chinaontv.com/videos/5792.php,"Content Blocked: Date Time: 4/15/2010 12:34:09 AM User: Supervisor Action: Blocked Type: ActiveX URL: http://world.chinaontv.com/videos/5792.php Data: (ActiveX) "
4/14/2010 11:25:29 PM,Supervisor,ActiveX,http://www.dancerbating.com/,"Content Blocked: Date Time: 4/14/2010 11:25:29 PM User: Supervisor Action: Blocked Type: ActiveX URL: http://www.dancerbating.com/ Data: (ActiveX) "
4/14/2010 10:51:16 PM,Supervisor,ActiveX,http://news.yahoo.com/s/ap/20100414/ap_on_bi_ge/us_so_long_sardines,"Content Blocked: Date Time: 4/14/2010 10:51:16 PM User: Supervisor Action: Blocked Type: ActiveX URL: http://news.yahoo.com/s/ap/20100414/ap_on_bi_ge/us_so_long_sardines Data: (ActiveX) "

This is indication of root kit activity. Rootkits can hide from traditional malware/virus scanners. I wouldnt use this computer until its cleaned up. In fact make sure there is no connectivity by keeping it powered off or pulling the etherent cable.
Is there anyway you could download two small files and transfer them to the computer in question via a usb flash drives?

If so you can get Combofix and TDSS killer for now.
There is a guide to using combofix, Read through and follow whats presented in the guide. Use combofix first and post its log. hold off on using TDSS killer for now.

links:
guide:http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please download TDSS Killer.zip (http://support.kaspersky.com/downloads/utils/tdsskiller.zip) and save it to your desktop
Extract the zip file to your desktop for now.

for some reason my Norton AV tried to restart after reboot. I turned it off again but have no idea if Combo Fix was affected in any way. Also, Vtuurr.dll tried to start 7 times but the notice said that no file could be found.

ComboFix 10-05-02.01 - Owner 05/02/2010 16:46:07.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.767.497 [GMT -4:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: Norton AntiVirus *On-access scanning disabled* (Outdated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\WindowsUpdate
c:\recycler\NPROTECT
c:\recycler\NPROTECT\00000000.DAT
c:\recycler\NPROTECT\00000001.DAT
c:\recycler\NPROTECT\00000002
c:\recycler\NPROTECT\00000003
c:\recycler\NPROTECT\00000004
c:\recycler\NPROTECT\00000005
c:\recycler\NPROTECT\00000006
c:\recycler\NPROTECT\00000008
c:\recycler\NPROTECT\00000010
c:\recycler\NPROTECT\00000011
c:\recycler\NPROTECT\00000014.DAT
c:\recycler\NPROTECT\00000015
c:\recycler\NPROTECT\00000016
c:\recycler\NPROTECT\00000017
c:\recycler\NPROTECT\00000018
c:\recycler\NPROTECT\00000020
c:\recycler\NPROTECT\00000021.DAT
c:\recycler\NPROTECT\00000022
c:\recycler\NPROTECT\00000023
c:\recycler\NPROTECT\00000024.DAT
c:\recycler\NPROTECT\00000025
c:\recycler\NPROTECT\00000026
c:\recycler\NPROTECT\00000027
c:\recycler\NPROTECT\00000028
c:\recycler\NPROTECT\00000029
c:\recycler\NPROTECT\00000030
c:\recycler\NPROTECT\00000031
c:\recycler\NPROTECT\00000032
c:\recycler\NPROTECT\00000033
c:\recycler\NPROTECT\00000034
c:\recycler\NPROTECT\00000035
c:\recycler\NPROTECT\00000036
c:\recycler\NPROTECT\00000037
c:\recycler\NPROTECT\00000038.dat
c:\recycler\NPROTECT\00000040
c:\recycler\NPROTECT\00000041
c:\recycler\NPROTECT\00000044
c:\recycler\NPROTECT\00000045
c:\recycler\NPROTECT\00000047
c:\recycler\NPROTECT\00000048
c:\recycler\NPROTECT\00000049
c:\recycler\NPROTECT\00000050
c:\recycler\NPROTECT\00000053
c:\recycler\NPROTECT\00000054
c:\recycler\NPROTECT\00000055
c:\recycler\NPROTECT\00000056
c:\recycler\NPROTECT\00000057
c:\recycler\NPROTECT\00000058
c:\recycler\NPROTECT\00000059
c:\recycler\NPROTECT\00000060
c:\recycler\NPROTECT\00000061
c:\recycler\NPROTECT\00000063
c:\recycler\NPROTECT\00000064
c:\recycler\NPROTECT\00000065
c:\recycler\NPROTECT\00000066
c:\recycler\NPROTECT\00000067
c:\recycler\NPROTECT\00000068
c:\recycler\NPROTECT\00000069
c:\recycler\NPROTECT\00000070
c:\recycler\NPROTECT\00000071
c:\recycler\NPROTECT\00000072
c:\recycler\NPROTECT\00000073
c:\recycler\NPROTECT\00000074
c:\recycler\NPROTECT\00000076
c:\recycler\NPROTECT\00000077
c:\recycler\NPROTECT\00000079
c:\recycler\NPROTECT\00000080
c:\recycler\NPROTECT\00000082
c:\recycler\NPROTECT\00000083
c:\recycler\NPROTECT\00000084
c:\recycler\NPROTECT\00000085
c:\recycler\NPROTECT\00000086
c:\recycler\NPROTECT\00000088
c:\recycler\NPROTECT\00000089
c:\recycler\NPROTECT\00000090
c:\recycler\NPROTECT\00000091
c:\recycler\NPROTECT\00000093
c:\recycler\NPROTECT\00000094
c:\recycler\NPROTECT\00000095
c:\recycler\NPROTECT\00000096
c:\recycler\NPROTECT\00000097
c:\recycler\NPROTECT\00000098
c:\recycler\NPROTECT\00000099
c:\recycler\NPROTECT\00000100
c:\recycler\NPROTECT\00000101
c:\recycler\NPROTECT\00000102
c:\recycler\NPROTECT\00000103
c:\recycler\NPROTECT\00000107
c:\recycler\NPROTECT\00000108.dat
c:\recycler\NPROTECT\00000109.dat
c:\recycler\NPROTECT\00000110
c:\recycler\NPROTECT\00000111
c:\recycler\NPROTECT\00000112
c:\recycler\NPROTECT\00000113
c:\recycler\NPROTECT\00000114
c:\recycler\NPROTECT\00000115
c:\recycler\NPROTECT\00000116
c:\recycler\NPROTECT\00000117
c:\recycler\NPROTECT\00000119
c:\recycler\NPROTECT\00000121.dat
c:\recycler\NPROTECT\00000123
c:\recycler\NPROTECT\00000124.bat
c:\recycler\NPROTECT\00000125
c:\recycler\NPROTECT\00000126
c:\recycler\NPROTECT\00000128
c:\recycler\NPROTECT\00000130
c:\recycler\NPROTECT\00000131
c:\recycler\NPROTECT\00000132
c:\recycler\NPROTECT\00000135
c:\recycler\NPROTECT\00000136
c:\recycler\NPROTECT\00000137
c:\recycler\NPROTECT\00000138
c:\recycler\NPROTECT\00000140
c:\recycler\NPROTECT\00000141
c:\recycler\NPROTECT\00000142
c:\recycler\NPROTECT\00000143
c:\recycler\NPROTECT\00000144
c:\recycler\NPROTECT\00000145
c:\recycler\NPROTECT\00000146
c:\recycler\NPROTECT\00000147
c:\recycler\NPROTECT\00000148
c:\recycler\NPROTECT\00000149
c:\recycler\NPROTECT\00000150
c:\recycler\NPROTECT\00000151
c:\recycler\NPROTECT\00000152
c:\recycler\NPROTECT\00000153
c:\recycler\NPROTECT\00000154
c:\recycler\NPROTECT\00000155
c:\recycler\NPROTECT\00000156
c:\recycler\NPROTECT\00000157
c:\recycler\NPROTECT\00000158
c:\recycler\NPROTECT\00000159
c:\recycler\NPROTECT\00000160
c:\recycler\NPROTECT\00000161
c:\recycler\NPROTECT\00000162
c:\recycler\NPROTECT\00000163
c:\recycler\NPROTECT\00000164
c:\recycler\NPROTECT\00000165
c:\recycler\NPROTECT\00000166
c:\recycler\NPROTECT\00000168
c:\recycler\NPROTECT\00000169
c:\recycler\NPROTECT\00000172
c:\recycler\NPROTECT\00000175
c:\recycler\NPROTECT\00000176
c:\recycler\NPROTECT\00000177
c:\recycler\NPROTECT\00000178
c:\recycler\NPROTECT\00000179.dat
c:\recycler\NPROTECT\00000180
c:\recycler\NPROTECT\00000181.bad
c:\recycler\NPROTECT\00000182
c:\recycler\NPROTECT\00000183
c:\recycler\NPROTECT\00000184
c:\recycler\NPROTECT\00000185
c:\recycler\NPROTECT\00000186
c:\recycler\NPROTECT\00000192.md5
c:\recycler\NPROTECT\00000201
c:\recycler\NPROTECT\00000202
c:\recycler\NPROTECT\NPROTECT.LOG
c:\recycler\S-1-5-21-357484485-327093594-2519368713-1003
c:\windows\patch.exe
c:\windows\system32\iAlmcoin.dll
c:\windows\system32\vtuurr.dll
D:\Autorun.inf

Infected copy of c:\windows\system32\drivers\disk.sys was found and disinfected
Restored copy from - Kitty had a snack :p
.
((((((((((((((((((((((((( Files Created from 2010-04-02 to 2010-05-02 )))))))))))))))))))))))))))))))
.

2010-05-02 03:37 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-02 03:37 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-02 03:22 . 2010-05-02 03:37 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-30 04:02 . 2010-04-30 04:03 -------- d-----w- c:\program files\ERUNT
2010-04-26 00:04 . 2010-04-26 00:04 -------- d-----w- c:\program files\Cobian Backup 10
2010-04-21 04:37 . 2010-04-21 04:37 -------- d-----w- c:\documents and settings\All Users\Application Data\TrojanHunter
2010-04-21 04:10 . 2010-04-21 04:10 -------- d-----w- c:\documents and settings\Owner\Application Data\TrojanHunter
2010-04-21 03:03 . 2010-04-26 16:16 -------- d-----w- c:\program files\TrojanHunter 5.3

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-02 03:23 . 2003-10-14 13:31 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-04-25 20:55 . 2007-02-25 00:44 435 -c--a-w- c:\windows\system.tmp
2010-04-21 15:12 . 2004-04-02 21:05 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-04-21 15:10 . 2004-04-02 21:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-04-21 05:39 . 2007-02-25 00:28 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-04-18 02:51 . 2007-02-25 00:28 -------- d-----w- c:\program files\Spyware Doctor
2010-04-15 05:45 . 2003-11-15 08:22 36352 ----a-w- c:\windows\system32\drivers\disk.sys
2010-04-14 13:05 . 2005-06-03 06:35 -------- d-----w- c:\program files\Norton SystemWorks
2010-03-18 22:49 . 2007-08-01 02:10 -------- d-----w- c:\program files\RegCure
2010-03-11 12:38 . 2004-02-06 22:05 832512 ----a-w- c:\windows\system32\wininet.dll
2010-03-11 12:38 . 2009-06-04 06:14 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-11 12:38 . 2003-11-15 08:22 17408 ----a-w- c:\windows\system32\corpol.dll
2010-03-10 00:28 . 2007-02-25 00:44 730 -c--a-w- c:\windows\win.tmp
2010-03-09 11:09 . 2003-11-15 07:58 430080 ----a-w- c:\windows\system32\vbscript.dll
2010-02-24 13:00 . 2009-11-24 12:10 79488 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-02-24 12:31 . 2003-10-11 10:06 454016 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-16 13:19 . 2003-11-15 08:23 2181376 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 12:39 . 2002-08-29 08:04 2058368 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:36 . 2003-11-15 08:22 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-11 11:08 . 2003-11-15 07:58 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys
2006-11-21 23:51 . 2006-11-21 23:52 774144 -c--a-w- c:\program files\RngInterstitial.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"QuickTime Task"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-02-17 49152]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-02-17 49152]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2007-01-23 52840]

c:\documents and settings\Owner\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsNetHood"= 01000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"PopUpStopperFreeEdition"=c:\progra~1\PANICW~1\POP-UP~1\PSFree.exe
"WMPNSCFG"=c:\program files\Windows Media Player\WMPNSCFG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"HotKeysCmds"=c:\windows\System32\hkcmd.exe
"hpsysdrv"=c:\windows\system\hpsysdrv.exe
"KBD"=c:\hp\KBD\KBD.EXE
"LTMSG"=LTMSG.exe 7
"Recguard"=c:\windows\SMINST\RECGUARD.EXE
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
"THGuard"="c:\program files\TrojanHunter 5.3\THGuard.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Real\\RealOne Player\\realplay.exe"=
"c:\\WINDOWS\\Downloaded Program Files\\ccpm_0237.exe"=
"c:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R2 AdobeActiveFileMonitor7.0;Adobe Active File Monitor V7;c:\program files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe [9/16/2008 12:03 PM 169312]
R2 BCMNTIO;BCMNTIO;c:\progra~1\CheckIt\DIAGNO~1\BCMNTIO.sys [6/3/2005 3:02 AM 3744]
R2 MAPMEM;MAPMEM;c:\progra~1\CheckIt\DIAGNO~1\MAPMEM.sys [6/3/2005 3:02 AM 3904]
R2 NProtectService;Norton UnErase Protection;c:\progra~1\NORTON~4\NORTON~2\NPROTECT.EXE [11/3/2005 7:08 PM 95832]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [9/10/2008 10:59 PM 99376]
S2 mrtRate;mrtRate; [x]
S3 idrmkl;idrmkl;\??\c:\docume~1\Owner\LOCALS~1\Temp\idrmkl.sys --> c:\docume~1\Owner\LOCALS~1\Temp\idrmkl.sys [?]

--- Other Services/Drivers In Memory ---

*Deregistered* - mchInjDrv

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2010-04-13 c:\windows\Tasks\Norton AntiVirus - Run Full System Scan - Owner.job
- c:\progra~1\NORTON~4\NORTON~1\Navw32.exe [2005-09-23 16:13]

2010-04-26 c:\windows\Tasks\Norton SystemWorks One Button Checkup.job
- c:\program files\Norton SystemWorks\OBC.exe [2006-08-03 00:05]

2010-05-02 c:\windows\Tasks\Symantec Drmc.job
- c:\program files\Common Files\Symantec Shared\SymDrmc.exe [2005-10-26 23:48]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://my.att.net/
uDefault_Search_URL = hxxp://srch-qus10.hpwis.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mStart Page = hxxp://qus10.hpwis.com/
mSearch Bar = hxxp://srch-qus10.hpwis.com/
mWindow Title =
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = localhost
uSearchURL,(Default) = hxxp://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/su/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
Trusted Zone: att.net\webauth
Trusted Zone: fortunerep.com\www
Trusted Zone: microsoft.com\*.windowsupdate
Trusted Zone: windowsupdate.com\download
.
- - - - ORPHANS REMOVED - - - -

Toolbar-SITEguard - (no file)
WebBrowser-{A26503FE-B3B8-4910-A9DC-9CBD25C6B8D6} - (no file)
HKLM-Run-sstsqpsys - vtuurr.dll
HKLM-Run-yabyyxsys - vtuurr.dll
HKLM-Run-tuvwvwsys - vtuurr.dll
HKLM-Run-opqppmsys - vtuurr.dll
HKLM-Run-fcccbcsys - vtuurr.dll
HKLM-Run-efdedbsys - vtuurr.dll
HKU-Default-Run-iifghfsys - vtuurr.dll
Notify-WgaLogon - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-02 16:56
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\mchInjDrv]
"ImagePath"="\??\c:\windows\TEMP\mc21.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1730167982-1273179249-2621698179-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(6240)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\program files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\ArcSoft\Software Suite\PhotoImpression 5\share\pihook.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\program files\Common Files\Symantec Shared\ccProxy.exe
c:\program files\Norton Internet Security\ISSVC.exe
c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
c:\program files\Common Files\Symantec Shared\SNDSrvc.exe
c:\program files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
c:\windows\System32\nvsvc32.exe
c:\program files\Spyware Doctor\sdhelp.exe
c:\progra~1\NORTON~4\NORTON~2\SPEEDD~1\NOPDB.EXE
c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
c:\program files\Windows Media Player\WMPNetwk.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\rundll32.exe
c:\program files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
.
**************************************************************************
.
Completion time: 2010-05-02 16:59:40 - machine was rebooted
ComboFix-quarantined-files.txt 2010-05-02 20:59

Pre-Run: 138,818,932,736 bytes free
Post-Run: 138,574,831,616 bytes free

- - End Of File - - 0EE70E64E7A0A06FBFC386A90951037A

BTW the infected computer is, and has been disconnected from the internet except for the time that I downloaded the Malwarebytes program. I didn't know how big the download was or if it required a net connection. I transfer the data from my lap top to the infected computer by cd

ok good. Thanks for all the info. We will use Combofix again:
Temporarily disable your AV and any anti-malware apps before using Combofix.

Click Start, then Run and type Notepad and click OK.
Copy/paste the text in the code box below into notepad:




DDS::
TB: {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {A26503FE-B3B8-4910-A9DC-9CBD25C6B8D6} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
BHO: {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - No File

File::
C:\DOCUME~1\Owner\LOCALS~1\Temp\idrmkl.sys

Driver::
idrmkl


Name the Notepad file CFScript.txt and Save it to your desktop.
Now locate the file you just saved and the combofix icon, both on your desktop.
Using your mouse drag the CFScript right on top of the combofix icon and release, combofix will run and produce a new log
Please post the new combofix log.

I was not able to observe anything this time. It appears that everything went asdesired. No windows opened of any kind. At least none that stayed open.



ComboFix 10-05-02.01 - Owner 05/02/2010 20:35:24.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.767.374 [GMT -4:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
AV: Norton AntiVirus *On-access scanning disabled* (Outdated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

FILE ::
"c:\docume~1\Owner\LOCALS~1\Temp\idrmkl.sys"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\recycler\NPROTECT\00000000.DAT
c:\recycler\NPROTECT\00000001.DAT
c:\recycler\NPROTECT\00000002
c:\recycler\NPROTECT\00000003
c:\recycler\NPROTECT\00000004
c:\recycler\NPROTECT\00000005
c:\recycler\NPROTECT\00000006
c:\recycler\NPROTECT\00000008
c:\recycler\NPROTECT\00000010
c:\recycler\NPROTECT\00000011
c:\recycler\NPROTECT\00000014.DAT
c:\recycler\NPROTECT\00000015
c:\recycler\NPROTECT\00000016
c:\recycler\NPROTECT\00000017
c:\recycler\NPROTECT\00000018
c:\recycler\NPROTECT\00000020
c:\recycler\NPROTECT\00000021.DAT
c:\recycler\NPROTECT\00000022
c:\recycler\NPROTECT\00000023
c:\recycler\NPROTECT\00000024.DAT
c:\recycler\NPROTECT\00000025
c:\recycler\NPROTECT\00000026
c:\recycler\NPROTECT\00000027
c:\recycler\NPROTECT\00000028
c:\recycler\NPROTECT\00000029
c:\recycler\NPROTECT\00000030
c:\recycler\NPROTECT\00000031
c:\recycler\NPROTECT\00000032
c:\recycler\NPROTECT\00000033
c:\recycler\NPROTECT\00000034
c:\recycler\NPROTECT\00000035
c:\recycler\NPROTECT\00000036
c:\recycler\NPROTECT\00000037.dat
c:\recycler\NPROTECT\00000038
c:\recycler\NPROTECT\00000039
c:\recycler\NPROTECT\00000042
c:\recycler\NPROTECT\00000043
c:\recycler\NPROTECT\00000044
c:\recycler\NPROTECT\00000046
c:\recycler\NPROTECT\00000047
c:\recycler\NPROTECT\00000048
c:\recycler\NPROTECT\00000049
c:\recycler\NPROTECT\00000050
c:\recycler\NPROTECT\00000052
c:\recycler\NPROTECT\00000053
c:\recycler\NPROTECT\00000054
c:\recycler\NPROTECT\00000055
c:\recycler\NPROTECT\00000058
c:\recycler\NPROTECT\00000059
c:\recycler\NPROTECT\00000060
c:\recycler\NPROTECT\00000062
c:\recycler\NPROTECT\00000064
c:\recycler\NPROTECT\00000065
c:\recycler\NPROTECT\00000066
c:\recycler\NPROTECT\00000067
c:\recycler\NPROTECT\00000068
c:\recycler\NPROTECT\00000069
c:\recycler\NPROTECT\00000070
c:\recycler\NPROTECT\00000071
c:\recycler\NPROTECT\00000072
c:\recycler\NPROTECT\00000073
c:\recycler\NPROTECT\00000074
c:\recycler\NPROTECT\00000076
c:\recycler\NPROTECT\00000077
c:\recycler\NPROTECT\00000079
c:\recycler\NPROTECT\00000080
c:\recycler\NPROTECT\00000082
c:\recycler\NPROTECT\00000083
c:\recycler\NPROTECT\00000084
c:\recycler\NPROTECT\00000085
c:\recycler\NPROTECT\00000086
c:\recycler\NPROTECT\00000088
c:\recycler\NPROTECT\00000089
c:\recycler\NPROTECT\00000090
c:\recycler\NPROTECT\00000091
c:\recycler\NPROTECT\00000093
c:\recycler\NPROTECT\00000094
c:\recycler\NPROTECT\00000095
c:\recycler\NPROTECT\00000096
c:\recycler\NPROTECT\00000097
c:\recycler\NPROTECT\00000098
c:\recycler\NPROTECT\00000099
c:\recycler\NPROTECT\00000100
c:\recycler\NPROTECT\00000101
c:\recycler\NPROTECT\00000102
c:\recycler\NPROTECT\00000103
c:\recycler\NPROTECT\00000104
c:\recycler\NPROTECT\00000105
c:\recycler\NPROTECT\00000109
c:\recycler\NPROTECT\00000110.dat
c:\recycler\NPROTECT\00000111.dat
c:\recycler\NPROTECT\00000113
c:\recycler\NPROTECT\00000114
c:\recycler\NPROTECT\00000115
c:\recycler\NPROTECT\00000116
c:\recycler\NPROTECT\00000117
c:\recycler\NPROTECT\00000118
c:\recycler\NPROTECT\00000119
c:\recycler\NPROTECT\00000120
c:\recycler\NPROTECT\00000122
c:\recycler\NPROTECT\00000124.dat
c:\recycler\NPROTECT\00000126
c:\recycler\NPROTECT\00000127.bat
c:\recycler\NPROTECT\00000128
c:\recycler\NPROTECT\00000129
c:\recycler\NPROTECT\00000131
c:\recycler\NPROTECT\00000133
c:\recycler\NPROTECT\00000134
c:\recycler\NPROTECT\00000135
c:\recycler\NPROTECT\00000138
c:\recycler\NPROTECT\00000139
c:\recycler\NPROTECT\00000140
c:\recycler\NPROTECT\00000141
c:\recycler\NPROTECT\00000143
c:\recycler\NPROTECT\00000144
c:\recycler\NPROTECT\00000145
c:\recycler\NPROTECT\00000146
c:\recycler\NPROTECT\00000147
c:\recycler\NPROTECT\00000148
c:\recycler\NPROTECT\00000149
c:\recycler\NPROTECT\00000150
c:\recycler\NPROTECT\00000151
c:\recycler\NPROTECT\00000152
c:\recycler\NPROTECT\00000153
c:\recycler\NPROTECT\00000154
c:\recycler\NPROTECT\00000155
c:\recycler\NPROTECT\00000156
c:\recycler\NPROTECT\00000157
c:\recycler\NPROTECT\00000158
c:\recycler\NPROTECT\00000159
c:\recycler\NPROTECT\00000160
c:\recycler\NPROTECT\00000161
c:\recycler\NPROTECT\00000162
c:\recycler\NPROTECT\00000163
c:\recycler\NPROTECT\00000164
c:\recycler\NPROTECT\00000165
c:\recycler\NPROTECT\00000166
c:\recycler\NPROTECT\00000167
c:\recycler\NPROTECT\00000168
c:\recycler\NPROTECT\00000169
c:\recycler\NPROTECT\00000171
c:\recycler\NPROTECT\00000172
c:\recycler\NPROTECT\00000175
c:\recycler\NPROTECT\00000178
c:\recycler\NPROTECT\00000179
c:\recycler\NPROTECT\00000180
c:\recycler\NPROTECT\00000181
c:\recycler\NPROTECT\00000182.dat
c:\recycler\NPROTECT\00000183
c:\recycler\NPROTECT\00000184
c:\recycler\NPROTECT\00000185
c:\recycler\NPROTECT\00000186
c:\recycler\NPROTECT\00000187
c:\recycler\NPROTECT\00000188.bad
c:\recycler\NPROTECT\00000189
c:\recycler\NPROTECT\00000190
c:\recycler\NPROTECT\00000191
c:\recycler\NPROTECT\00000192
c:\recycler\NPROTECT\00000193
c:\recycler\NPROTECT\00000199.md5
c:\recycler\NPROTECT\00000208
c:\recycler\NPROTECT\00000209
c:\recycler\NPROTECT\NPROTECT.LOG
c:\recycler\NPROTECT . . . . failed to delete

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_IDRMKL
-------\Service_idrmkl


((((((((((((((((((((((((( Files Created from 2010-04-03 to 2010-05-03 )))))))))))))))))))))))))))))))
.

2010-05-02 03:37 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-02 03:37 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-02 03:22 . 2010-05-02 03:37 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-30 04:02 . 2010-04-30 04:03 -------- d-----w- c:\program files\ERUNT
2010-04-26 00:04 . 2010-04-26 00:04 -------- d-----w- c:\program files\Cobian Backup 10
2010-04-21 04:37 . 2010-04-21 04:37 -------- d-----w- c:\documents and settings\All Users\Application Data\TrojanHunter
2010-04-21 04:10 . 2010-04-21 04:10 -------- d-----w- c:\documents and settings\Owner\Application Data\TrojanHunter
2010-04-21 03:03 . 2010-04-26 16:16 -------- d-----w- c:\program files\TrojanHunter 5.3

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-03 00:43 . 2003-10-14 13:31 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-04-25 20:55 . 2007-02-25 00:44 435 -c--a-w- c:\windows\system.tmp
2010-04-21 15:12 . 2004-04-02 21:05 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-04-21 15:10 . 2004-04-02 21:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-04-21 05:39 . 2007-02-25 00:28 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-04-18 02:51 . 2007-02-25 00:28 -------- d-----w- c:\program files\Spyware Doctor
2010-04-15 05:45 . 2003-11-15 08:22 36352 ----a-w- c:\windows\system32\drivers\disk.sys
2010-04-14 13:05 . 2005-06-03 06:35 -------- d-----w- c:\program files\Norton SystemWorks
2010-03-18 22:49 . 2007-08-01 02:10 -------- d-----w- c:\program files\RegCure
2010-03-11 12:38 . 2004-02-06 22:05 832512 ----a-w- c:\windows\system32\wininet.dll
2010-03-11 12:38 . 2009-06-04 06:14 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-11 12:38 . 2003-11-15 08:22 17408 ----a-w- c:\windows\system32\corpol.dll
2010-03-10 00:28 . 2007-02-25 00:44 730 -c--a-w- c:\windows\win.tmp
2010-03-09 11:09 . 2003-11-15 07:58 430080 ----a-w- c:\windows\system32\vbscript.dll
2010-02-24 13:00 . 2009-11-24 12:10 79488 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-02-24 12:31 . 2003-10-11 10:06 454016 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-16 13:19 . 2003-11-15 08:23 2181376 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 12:39 . 2002-08-29 08:04 2058368 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:36 . 2003-11-15 08:22 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-11 11:08 . 2003-11-15 07:58 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys
2006-11-21 23:51 . 2006-11-21 23:52 774144 -c--a-w- c:\program files\RngInterstitial.dll
.

((((((((((((((((((((((((((((( SnapShot@2010-05-02_20.55.57 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-05-03 00:43 . 2010-05-03 00:43 16384 c:\windows\Temp\Perflib_Perfdata_d4.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"QuickTime Task"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-02-17 49152]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-02-17 49152]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2007-01-23 52840]

c:\documents and settings\Owner\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsNetHood"= 01000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"PopUpStopperFreeEdition"=c:\progra~1\PANICW~1\POP-UP~1\PSFree.exe
"WMPNSCFG"=c:\program files\Windows Media Player\WMPNSCFG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"HotKeysCmds"=c:\windows\System32\hkcmd.exe
"hpsysdrv"=c:\windows\system\hpsysdrv.exe
"KBD"=c:\hp\KBD\KBD.EXE
"LTMSG"=LTMSG.exe 7
"Recguard"=c:\windows\SMINST\RECGUARD.EXE
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
"THGuard"="c:\program files\TrojanHunter 5.3\THGuard.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Real\\RealOne Player\\realplay.exe"=
"c:\\WINDOWS\\Downloaded Program Files\\ccpm_0237.exe"=
"c:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R2 AdobeActiveFileMonitor7.0;Adobe Active File Monitor V7;c:\program files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe [9/16/2008 12:03 PM 169312]
R2 BCMNTIO;BCMNTIO;c:\progra~1\CheckIt\DIAGNO~1\BCMNTIO.sys [6/3/2005 3:02 AM 3744]
R2 MAPMEM;MAPMEM;c:\progra~1\CheckIt\DIAGNO~1\MAPMEM.sys [6/3/2005 3:02 AM 3904]
R2 NProtectService;Norton UnErase Protection;c:\progra~1\NORTON~4\NORTON~2\NPROTECT.EXE [11/3/2005 7:08 PM 95832]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [9/10/2008 10:59 PM 99376]
S2 mrtRate;mrtRate; [x]

--- Other Services/Drivers In Memory ---

*Deregistered* - mchInjDrv

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2010-04-13 c:\windows\Tasks\Norton AntiVirus - Run Full System Scan - Owner.job
- c:\progra~1\NORTON~4\NORTON~1\Navw32.exe [2005-09-23 16:13]

2010-04-26 c:\windows\Tasks\Norton SystemWorks One Button Checkup.job
- c:\program files\Norton SystemWorks\OBC.exe [2006-08-03 00:05]

2010-05-02 c:\windows\Tasks\Symantec Drmc.job
- c:\program files\Common Files\Symantec Shared\SymDrmc.exe [2005-10-26 23:48]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://my.att.net/
uDefault_Search_URL = hxxp://srch-qus10.hpwis.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mStart Page = hxxp://qus10.hpwis.com/
mSearch Bar = hxxp://srch-qus10.hpwis.com/
mWindow Title =
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = localhost
uSearchURL,(Default) = hxxp://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/su/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
Trusted Zone: att.net\webauth
Trusted Zone: fortunerep.com\www
Trusted Zone: microsoft.com\*.windowsupdate
Trusted Zone: windowsupdate.com\download
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-02 20:44
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\mchInjDrv]
"ImagePath"="\??\c:\windows\TEMP\mc21.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1730167982-1273179249-2621698179-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(4104)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\ArcSoft\Software Suite\PhotoImpression 5\share\pihook.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\program files\Common Files\Symantec Shared\ccProxy.exe
c:\program files\Norton Internet Security\ISSVC.exe
c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
c:\program files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
c:\windows\System32\nvsvc32.exe
c:\program files\Spyware Doctor\sdhelp.exe
c:\progra~1\NORTON~4\NORTON~2\SPEEDD~1\NOPDB.EXE
c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
c:\program files\Windows Media Player\WMPNetwk.exe
c:\program files\Common Files\Symantec Shared\SNDSrvc.exe
c:\program files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
.
**************************************************************************
.
Completion time: 2010-05-02 20:47:26 - machine was rebooted
ComboFix-quarantined-files.txt 2010-05-03 00:47
ComboFix2.txt 2010-05-02 20:59

Pre-Run: 138,475,220,992 bytes free
Post-Run: 138,550,755,328 bytes free

- - End Of File - - A674137CE620F33E0371CBE86E33FE3E

hi,

If you have extracted TDSSkiller to your desktop you can run it now.
double click the extracted file to run it. follow the prompts.
It will create a log file in your root drive--> Local Disk (C)

labeled like this:
TDSSkiller .2.2.8.1_02.05.2010_20.55.12_log.txt (version,date,time)

Please post the log

I will not be back on line for about 18 hrs.

here is the log file. it looks clean. I'll look for your post in about 19 -20 hours when I get off work tomorrow. Thanks for your help.



22:47:29:703 7640 TDSS rootkit removing tool 2.2.8.1 Mar 22 2010 10:43:04
22:47:29:703 7640 ================================================================================
22:47:29:703 7640 SystemInfo:

22:47:29:703 7640 OS Version: 5.1.2600 ServicePack: 2.0
22:47:29:703 7640 Product type: Workstation
22:47:29:703 7640 ComputerName: BILLSR
22:47:29:703 7640 UserName: Owner
22:47:29:703 7640 Windows directory: C:\WINDOWS
22:47:29:703 7640 Processor architecture: Intel x86
22:47:29:703 7640 Number of processors: 1
22:47:29:703 7640 Page size: 0x1000
22:47:29:703 7640 Boot type: Normal boot
22:47:29:703 7640 ================================================================================
22:47:29:703 7640 UnloadDriverW: NtUnloadDriver error 2
22:47:29:703 7640 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
22:47:29:718 7640 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system
22:47:29:718 7640 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
22:47:29:718 7640 wfopen_ex: Trying to KLMD file open
22:47:29:718 7640 wfopen_ex: File opened ok (Flags 2)
22:47:29:718 7640 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software
22:47:29:718 7640 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
22:47:29:718 7640 wfopen_ex: Trying to KLMD file open
22:47:29:718 7640 wfopen_ex: File opened ok (Flags 2)
22:47:29:718 7640 Initialize success
22:47:29:718 7640
22:47:29:718 7640 Scanning Services ...
22:47:30:031 7640 Raw services enum returned 382 services
22:47:30:031 7640
22:47:30:031 7640 Scanning Kernel memory ...
22:47:30:031 7640 Devices to scan: 6
22:47:30:031 7640
22:47:30:031 7640 Driver Name: Disk
22:47:30:031 7640 IRP_MJ_CREATE : F74CDC30
22:47:30:031 7640 IRP_MJ_CREATE_NAMED_PIPE : 804F3418
22:47:30:031 7640 IRP_MJ_CLOSE : F74CDC30
22:47:30:031 7640 IRP_MJ_READ : F74C7D9B
22:47:30:031 7640 IRP_MJ_WRITE : F74C7D9B
22:47:30:031 7640 IRP_MJ_QUERY_INFORMATION : 804F3418
22:47:30:031 7640 IRP_MJ_SET_INFORMATION : 804F3418
22:47:30:031 7640 IRP_MJ_QUERY_EA : 804F3418
22:47:30:031 7640 IRP_MJ_SET_EA : 804F3418
22:47:30:031 7640 IRP_MJ_FLUSH_BUFFERS : F74C8366
22:47:30:031 7640 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F3418
22:47:30:031 7640 IRP_MJ_SET_VOLUME_INFORMATION : 804F3418
22:47:30:031 7640 IRP_MJ_DIRECTORY_CONTROL : 804F3418
22:47:30:031 7640 IRP_MJ_FILE_SYSTEM_CONTROL : 804F3418
22:47:30:031 7640 IRP_MJ_DEVICE_CONTROL : F74C844D
22:47:30:031 7640 IRP_MJ_INTERNAL_DEVICE_CONTROL : F74CBFC3
22:47:30:031 7640 IRP_MJ_SHUTDOWN : F74C8366
22:47:30:031 7640 IRP_MJ_LOCK_CONTROL : 804F3418
22:47:30:031 7640 IRP_MJ_CLEANUP : 804F3418
22:47:30:031 7640 IRP_MJ_CREATE_MAILSLOT : 804F3418
22:47:30:031 7640 IRP_MJ_QUERY_SECURITY : 804F3418
22:47:30:031 7640 IRP_MJ_SET_SECURITY : 804F3418
22:47:30:031 7640 IRP_MJ_POWER : F74C9EF3
22:47:30:031 7640 IRP_MJ_SYSTEM_CONTROL : F74CEA24
22:47:30:031 7640 IRP_MJ_DEVICE_CHANGE : 804F3418
22:47:30:031 7640 IRP_MJ_QUERY_QUOTA : 804F3418
22:47:30:031 7640 IRP_MJ_SET_QUOTA : 804F3418
22:47:30:062 7640 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
22:47:30:062 7640
22:47:30:062 7640 Driver Name: USBSTOR
22:47:30:062 7640 IRP_MJ_CREATE : F77B4218
22:47:30:062 7640 IRP_MJ_CREATE_NAMED_PIPE : 804F3418
22:47:30:062 7640 IRP_MJ_CLOSE : F77B4218
22:47:30:062 7640 IRP_MJ_READ : F77B423C
22:47:30:062 7640 IRP_MJ_WRITE : F77B423C
22:47:30:062 7640 IRP_MJ_QUERY_INFORMATION : 804F3418
22:47:30:062 7640 IRP_MJ_SET_INFORMATION : 804F3418
22:47:30:062 7640 IRP_MJ_QUERY_EA : 804F3418
22:47:30:062 7640 IRP_MJ_SET_EA : 804F3418
22:47:30:062 7640 IRP_MJ_FLUSH_BUFFERS : 804F3418
22:47:30:062 7640 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F3418
22:47:30:062 7640 IRP_MJ_SET_VOLUME_INFORMATION : 804F3418
22:47:30:062 7640 IRP_MJ_DIRECTORY_CONTROL : 804F3418
22:47:30:062 7640 IRP_MJ_FILE_SYSTEM_CONTROL : 804F3418
22:47:30:062 7640 IRP_MJ_DEVICE_CONTROL : F77B4180
22:47:30:062 7640 IRP_MJ_INTERNAL_DEVICE_CONTROL : F77AF9E6
22:47:30:062 7640 IRP_MJ_SHUTDOWN : 804F3418
22:47:30:062 7640 IRP_MJ_LOCK_CONTROL : 804F3418
22:47:30:062 7640 IRP_MJ_CLEANUP : 804F3418
22:47:30:062 7640 IRP_MJ_CREATE_MAILSLOT : 804F3418
22:47:30:062 7640 IRP_MJ_QUERY_SECURITY : 804F3418
22:47:30:062 7640 IRP_MJ_SET_SECURITY : 804F3418
22:47:30:062 7640 IRP_MJ_POWER : F77B35F0
22:47:30:062 7640 IRP_MJ_SYSTEM_CONTROL : F77B1A6E
22:47:30:062 7640 IRP_MJ_DEVICE_CHANGE : 804F3418
22:47:30:062 7640 IRP_MJ_QUERY_QUOTA : 804F3418
22:47:30:062 7640 IRP_MJ_SET_QUOTA : 804F3418
22:47:30:062 7640 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS - Verdict: 1
22:47:30:062 7640
22:47:30:062 7640 Driver Name: Disk
22:47:30:062 7640 IRP_MJ_CREATE : F74CDC30
22:47:30:062 7640 IRP_MJ_CREATE_NAMED_PIPE : 804F3418
22:47:30:062 7640 IRP_MJ_CLOSE : F74CDC30
22:47:30:062 7640 IRP_MJ_READ : F74C7D9B
22:47:30:062 7640 IRP_MJ_WRITE : F74C7D9B
22:47:30:062 7640 IRP_MJ_QUERY_INFORMATION : 804F3418
22:47:30:062 7640 IRP_MJ_SET_INFORMATION : 804F3418
22:47:30:062 7640 IRP_MJ_QUERY_EA : 804F3418
22:47:30:062 7640 IRP_MJ_SET_EA : 804F3418
22:47:30:062 7640 IRP_MJ_FLUSH_BUFFERS : F74C8366
22:47:30:062 7640 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F3418
22:47:30:062 7640 IRP_MJ_SET_VOLUME_INFORMATION : 804F3418
22:47:30:062 7640 IRP_MJ_DIRECTORY_CONTROL : 804F3418
22:47:30:062 7640 IRP_MJ_FILE_SYSTEM_CONTROL : 804F3418
22:47:30:062 7640 IRP_MJ_DEVICE_CONTROL : F74C844D
22:47:30:062 7640 IRP_MJ_INTERNAL_DEVICE_CONTROL : F74CBFC3
22:47:30:062 7640 IRP_MJ_SHUTDOWN : F74C8366
22:47:30:062 7640 IRP_MJ_LOCK_CONTROL : 804F3418
22:47:30:062 7640 IRP_MJ_CLEANUP : 804F3418
22:47:30:062 7640 IRP_MJ_CREATE_MAILSLOT : 804F3418
22:47:30:062 7640 IRP_MJ_QUERY_SECURITY : 804F3418
22:47:30:062 7640 IRP_MJ_SET_SECURITY : 804F3418
22:47:30:062 7640 IRP_MJ_POWER : F74C9EF3
22:47:30:062 7640 IRP_MJ_SYSTEM_CONTROL : F74CEA24
22:47:30:062 7640 IRP_MJ_DEVICE_CHANGE : 804F3418
22:47:30:062 7640 IRP_MJ_QUERY_QUOTA : 804F3418
22:47:30:062 7640 IRP_MJ_SET_QUOTA : 804F3418
22:47:30:062 7640 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
22:47:30:062 7640
22:47:30:062 7640 Driver Name: Disk
22:47:30:062 7640 IRP_MJ_CREATE : F74CDC30
22:47:30:062 7640 IRP_MJ_CREATE_NAMED_PIPE : 804F3418
22:47:30:062 7640 IRP_MJ_CLOSE : F74CDC30
22:47:30:062 7640 IRP_MJ_READ : F74C7D9B
22:47:30:062 7640 IRP_MJ_WRITE : F74C7D9B
22:47:30:062 7640 IRP_MJ_QUERY_INFORMATION : 804F3418
22:47:30:062 7640 IRP_MJ_SET_INFORMATION : 804F3418
22:47:30:062 7640 IRP_MJ_QUERY_EA : 804F3418
22:47:30:062 7640 IRP_MJ_SET_EA : 804F3418
22:47:30:062 7640 IRP_MJ_FLUSH_BUFFERS : F74C8366
22:47:30:062 7640 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F3418
22:47:30:062 7640 IRP_MJ_SET_VOLUME_INFORMATION : 804F3418
22:47:30:062 7640 IRP_MJ_DIRECTORY_CONTROL : 804F3418
22:47:30:062 7640 IRP_MJ_FILE_SYSTEM_CONTROL : 804F3418
22:47:30:062 7640 IRP_MJ_DEVICE_CONTROL : F74C844D
22:47:30:062 7640 IRP_MJ_INTERNAL_DEVICE_CONTROL : F74CBFC3
22:47:30:062 7640 IRP_MJ_SHUTDOWN : F74C8366
22:47:30:062 7640 IRP_MJ_LOCK_CONTROL : 804F3418
22:47:30:062 7640 IRP_MJ_CLEANUP : 804F3418
22:47:30:062 7640 IRP_MJ_CREATE_MAILSLOT : 804F3418
22:47:30:062 7640 IRP_MJ_QUERY_SECURITY : 804F3418
22:47:30:062 7640 IRP_MJ_SET_SECURITY : 804F3418
22:47:30:062 7640 IRP_MJ_POWER : F74C9EF3
22:47:30:062 7640 IRP_MJ_SYSTEM_CONTROL : F74CEA24
22:47:30:062 7640 IRP_MJ_DEVICE_CHANGE : 804F3418
22:47:30:062 7640 IRP_MJ_QUERY_QUOTA : 804F3418
22:47:30:062 7640 IRP_MJ_SET_QUOTA : 804F3418
22:47:30:078 7640 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
22:47:30:078 7640
22:47:30:078 7640 Driver Name: Disk
22:47:30:078 7640 IRP_MJ_CREATE : F74CDC30
22:47:30:078 7640 IRP_MJ_CREATE_NAMED_PIPE : 804F3418
22:47:30:078 7640 IRP_MJ_CLOSE : F74CDC30
22:47:30:078 7640 IRP_MJ_READ : F74C7D9B
22:47:30:078 7640 IRP_MJ_WRITE : F74C7D9B
22:47:30:078 7640 IRP_MJ_QUERY_INFORMATION : 804F3418
22:47:30:078 7640 IRP_MJ_SET_INFORMATION : 804F3418
22:47:30:078 7640 IRP_MJ_QUERY_EA : 804F3418
22:47:30:078 7640 IRP_MJ_SET_EA : 804F3418
22:47:30:078 7640 IRP_MJ_FLUSH_BUFFERS : F74C8366
22:47:30:078 7640 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F3418
22:47:30:078 7640 IRP_MJ_SET_VOLUME_INFORMATION : 804F3418
22:47:30:078 7640 IRP_MJ_DIRECTORY_CONTROL : 804F3418
22:47:30:078 7640 IRP_MJ_FILE_SYSTEM_CONTROL : 804F3418
22:47:30:078 7640 IRP_MJ_DEVICE_CONTROL : F74C844D
22:47:30:078 7640 IRP_MJ_INTERNAL_DEVICE_CONTROL : F74CBFC3
22:47:30:078 7640 IRP_MJ_SHUTDOWN : F74C8366
22:47:30:078 7640 IRP_MJ_LOCK_CONTROL : 804F3418
22:47:30:078 7640 IRP_MJ_CLEANUP : 804F3418
22:47:30:078 7640 IRP_MJ_CREATE_MAILSLOT : 804F3418
22:47:30:078 7640 IRP_MJ_QUERY_SECURITY : 804F3418
22:47:30:078 7640 IRP_MJ_SET_SECURITY : 804F3418
22:47:30:078 7640 IRP_MJ_POWER : F74C9EF3
22:47:30:078 7640 IRP_MJ_SYSTEM_CONTROL : F74CEA24
22:47:30:078 7640 IRP_MJ_DEVICE_CHANGE : 804F3418
22:47:30:078 7640 IRP_MJ_QUERY_QUOTA : 804F3418
22:47:30:078 7640 IRP_MJ_SET_QUOTA : 804F3418
22:47:30:078 7640 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
22:47:30:078 7640
22:47:30:078 7640 Driver Name: atapi
22:47:30:078 7640 IRP_MJ_CREATE : F731A572
22:47:30:078 7640 IRP_MJ_CREATE_NAMED_PIPE : 804F3418
22:47:30:078 7640 IRP_MJ_CLOSE : F731A572
22:47:30:078 7640 IRP_MJ_READ : 804F3418
22:47:30:078 7640 IRP_MJ_WRITE : 804F3418
22:47:30:078 7640 IRP_MJ_QUERY_INFORMATION : 804F3418
22:47:30:078 7640 IRP_MJ_SET_INFORMATION : 804F3418
22:47:30:078 7640 IRP_MJ_QUERY_EA : 804F3418
22:47:30:078 7640 IRP_MJ_SET_EA : 804F3418
22:47:30:078 7640 IRP_MJ_FLUSH_BUFFERS : 804F3418
22:47:30:078 7640 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F3418
22:47:30:078 7640 IRP_MJ_SET_VOLUME_INFORMATION : 804F3418
22:47:30:078 7640 IRP_MJ_DIRECTORY_CONTROL : 804F3418
22:47:30:078 7640 IRP_MJ_FILE_SYSTEM_CONTROL : 804F3418
22:47:30:078 7640 IRP_MJ_DEVICE_CONTROL : F731A592
22:47:30:078 7640 IRP_MJ_INTERNAL_DEVICE_CONTROL : F73167B4
22:47:30:078 7640 IRP_MJ_SHUTDOWN : 804F3418
22:47:30:078 7640 IRP_MJ_LOCK_CONTROL : 804F3418
22:47:30:078 7640 IRP_MJ_CLEANUP : 804F3418
22:47:30:078 7640 IRP_MJ_CREATE_MAILSLOT : 804F3418
22:47:30:078 7640 IRP_MJ_QUERY_SECURITY : 804F3418
22:47:30:078 7640 IRP_MJ_SET_SECURITY : 804F3418
22:47:30:078 7640 IRP_MJ_POWER : F731A5BC
22:47:30:078 7640 IRP_MJ_SYSTEM_CONTROL : F7321164
22:47:30:078 7640 IRP_MJ_DEVICE_CHANGE : 804F3418
22:47:30:078 7640 IRP_MJ_QUERY_QUOTA : 804F3418
22:47:30:078 7640 IRP_MJ_SET_QUOTA : 804F3418
22:47:30:109 7640 C:\WINDOWS\system32\DRIVERS\atapi.sys - Verdict: 1
22:47:30:109 7640
22:47:30:109 7640 Completed
22:47:30:109 7640
22:47:30:109 7640 Results:
22:47:30:109 7640 Memory objects infected / cured / cured on reboot: 0 / 0 / 0
22:47:30:109 7640 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
22:47:30:109 7640 File objects infected / cured / cured on reboot: 0 / 0 / 0
22:47:30:109 7640
22:47:30:109 7640 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system
22:47:30:109 7640 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software
22:47:30:109 7640 KLMD(ARK) unloaded successfully

good,nothing there. See if you can update/run Malwarebytes now.

Sorry to take so long. I got off work late. Here is the log of the scan. It failed to update, but I ran it as is. I had to connect to the internet to try the update. The scan found 3 more problems, and rebooted to remove them. So I tried to update a second time and had the same results. Lastly I ran malwarebytes a second time. It came up empty, but as I said, It never did update. Here are the logs.

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4052

Windows 5.1.2600 Service Pack 2
Internet Explorer 7.0.5730.11

5/4/2010 12:06:54 AM
mbam-log-2010-05-04 (00-06-54).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 233267
Time elapsed: 40 minute(s), 26 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Qoobox\Quarantine\C\WINDOWS\system32\vtuurr.dll.vir (Trojan.VirTool) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP4\A0001156.dll (Trojan.VirTool) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP4\A0001168.dll (Trojan.VirTool) -> Quarantined and deleted successfully.


Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4052

Windows 5.1.2600 Service Pack 2
Internet Explorer 7.0.5730.11

5/4/2010 12:54:46 AM
mbam-log-2010-05-04 (00-54-46).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 232970
Time elapsed: 38 minute(s), 41 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

BTW I went to a different mirror site "cnet" it had a version 1.46. I deleted the original Malwarebytes and reinstalled using the newer version. That one updated and is cuurently running. I will post the log after it completees.

ok last time that I will post before your response. I guess i needed to read the prior post because it was the updated version1.46. Anyway, the last scan came up emty as well.

ok good. Are the Norton warnings gone now? Hows it all looking on your end?

I deleted all of the Norton AV files. I also went in and deleted all of the symantec files that I could find and ran a Regestry cleaner for anything that I missed. Here is the last tdskiller log. tell me what you think.

I will need another anti Virus program, but I want one that doesn't useso much of my system resources. not sure what I am going to use right now. Anyway if you want anything else let me know. And Thanks I really appreciate it. I thought that I was going to have to re-install windows to get rid of it.


23:04:01:500 3008 TDSS rootkit removing tool 2.2.8.1 Mar 22 2010 10:43:04
23:04:01:500 3008 ================================================================================
23:04:01:500 3008 SystemInfo:

23:04:01:500 3008 OS Version: 5.1.2600 ServicePack: 2.0
23:04:01:500 3008 Product type: Workstation
23:04:01:500 3008 ComputerName: BILLSR
23:04:01:500 3008 UserName: Owner
23:04:01:500 3008 Windows directory: C:\WINDOWS
23:04:01:500 3008 Processor architecture: Intel x86
23:04:01:500 3008 Number of processors: 1
23:04:01:500 3008 Page size: 0x1000
23:04:01:515 3008 Boot type: Normal boot
23:04:01:515 3008 ================================================================================
23:04:01:515 3008 UnloadDriverW: NtUnloadDriver error 2
23:04:01:515 3008 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
23:04:01:531 3008 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system
23:04:01:531 3008 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
23:04:01:531 3008 wfopen_ex: Trying to KLMD file open
23:04:01:531 3008 wfopen_ex: File opened ok (Flags 2)
23:04:01:531 3008 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software
23:04:01:531 3008 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
23:04:01:531 3008 wfopen_ex: Trying to KLMD file open
23:04:01:531 3008 wfopen_ex: File opened ok (Flags 2)
23:04:01:531 3008 Initialize success
23:04:01:531 3008
23:04:01:531 3008 Scanning Services ...
23:04:01:828 3008 Raw services enum returned 352 services
23:04:01:828 3008
23:04:01:828 3008 Scanning Kernel memory ...
23:04:01:828 3008 Devices to scan: 5
23:04:01:828 3008
23:04:01:828 3008 Driver Name: Disk
23:04:01:828 3008 IRP_MJ_CREATE : F74CDC30
23:04:01:828 3008 IRP_MJ_CREATE_NAMED_PIPE : 804F3418
23:04:01:828 3008 IRP_MJ_CLOSE : F74CDC30
23:04:01:828 3008 IRP_MJ_READ : F74C7D9B
23:04:01:828 3008 IRP_MJ_WRITE : F74C7D9B
23:04:01:828 3008 IRP_MJ_QUERY_INFORMATION : 804F3418
23:04:01:828 3008 IRP_MJ_SET_INFORMATION : 804F3418
23:04:01:828 3008 IRP_MJ_QUERY_EA : 804F3418
23:04:01:828 3008 IRP_MJ_SET_EA : 804F3418
23:04:01:828 3008 IRP_MJ_FLUSH_BUFFERS : F74C8366
23:04:01:828 3008 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F3418
23:04:01:828 3008 IRP_MJ_SET_VOLUME_INFORMATION : 804F3418
23:04:01:828 3008 IRP_MJ_DIRECTORY_CONTROL : 804F3418
23:04:01:828 3008 IRP_MJ_FILE_SYSTEM_CONTROL : 804F3418
23:04:01:828 3008 IRP_MJ_DEVICE_CONTROL : F74C844D
23:04:01:828 3008 IRP_MJ_INTERNAL_DEVICE_CONTROL : F74CBFC3
23:04:01:828 3008 IRP_MJ_SHUTDOWN : F74C8366
23:04:01:828 3008 IRP_MJ_LOCK_CONTROL : 804F3418
23:04:01:828 3008 IRP_MJ_CLEANUP : 804F3418
23:04:01:828 3008 IRP_MJ_CREATE_MAILSLOT : 804F3418
23:04:01:828 3008 IRP_MJ_QUERY_SECURITY : 804F3418
23:04:01:828 3008 IRP_MJ_SET_SECURITY : 804F3418
23:04:01:828 3008 IRP_MJ_POWER : F74C9EF3
23:04:01:828 3008 IRP_MJ_SYSTEM_CONTROL : F74CEA24
23:04:01:828 3008 IRP_MJ_DEVICE_CHANGE : 804F3418
23:04:01:828 3008 IRP_MJ_QUERY_QUOTA : 804F3418
23:04:01:828 3008 IRP_MJ_SET_QUOTA : 804F3418
23:04:01:843 3008 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
23:04:01:843 3008
23:04:01:843 3008 Driver Name: USBSTOR
23:04:01:843 3008 IRP_MJ_CREATE : F77AC218
23:04:01:843 3008 IRP_MJ_CREATE_NAMED_PIPE : 804F3418
23:04:01:843 3008 IRP_MJ_CLOSE : F77AC218
23:04:01:843 3008 IRP_MJ_READ : F77AC23C
23:04:01:843 3008 IRP_MJ_WRITE : F77AC23C
23:04:01:843 3008 IRP_MJ_QUERY_INFORMATION : 804F3418
23:04:01:843 3008 IRP_MJ_SET_INFORMATION : 804F3418
23:04:01:843 3008 IRP_MJ_QUERY_EA : 804F3418
23:04:01:843 3008 IRP_MJ_SET_EA : 804F3418
23:04:01:843 3008 IRP_MJ_FLUSH_BUFFERS : 804F3418
23:04:01:843 3008 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F3418
23:04:01:843 3008 IRP_MJ_SET_VOLUME_INFORMATION : 804F3418
23:04:01:843 3008 IRP_MJ_DIRECTORY_CONTROL : 804F3418
23:04:01:843 3008 IRP_MJ_FILE_SYSTEM_CONTROL : 804F3418
23:04:01:843 3008 IRP_MJ_DEVICE_CONTROL : F77AC180
23:04:01:843 3008 IRP_MJ_INTERNAL_DEVICE_CONTROL : F77A79E6
23:04:01:843 3008 IRP_MJ_SHUTDOWN : 804F3418
23:04:01:843 3008 IRP_MJ_LOCK_CONTROL : 804F3418
23:04:01:843 3008 IRP_MJ_CLEANUP : 804F3418
23:04:01:843 3008 IRP_MJ_CREATE_MAILSLOT : 804F3418
23:04:01:843 3008 IRP_MJ_QUERY_SECURITY : 804F3418
23:04:01:843 3008 IRP_MJ_SET_SECURITY : 804F3418
23:04:01:843 3008 IRP_MJ_POWER : F77AB5F0
23:04:01:843 3008 IRP_MJ_SYSTEM_CONTROL : F77A9A6E
23:04:01:843 3008 IRP_MJ_DEVICE_CHANGE : 804F3418
23:04:01:843 3008 IRP_MJ_QUERY_QUOTA : 804F3418
23:04:01:843 3008 IRP_MJ_SET_QUOTA : 804F3418
23:04:01:859 3008 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS - Verdict: 1
23:04:01:859 3008
23:04:01:859 3008 Driver Name: Disk
23:04:01:859 3008 IRP_MJ_CREATE : F74CDC30
23:04:01:859 3008 IRP_MJ_CREATE_NAMED_PIPE : 804F3418
23:04:01:859 3008 IRP_MJ_CLOSE : F74CDC30
23:04:01:859 3008 IRP_MJ_READ : F74C7D9B
23:04:01:859 3008 IRP_MJ_WRITE : F74C7D9B
23:04:01:859 3008 IRP_MJ_QUERY_INFORMATION : 804F3418
23:04:01:859 3008 IRP_MJ_SET_INFORMATION : 804F3418
23:04:01:859 3008 IRP_MJ_QUERY_EA : 804F3418
23:04:01:859 3008 IRP_MJ_SET_EA : 804F3418
23:04:01:859 3008 IRP_MJ_FLUSH_BUFFERS : F74C8366
23:04:01:859 3008 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F3418
23:04:01:859 3008 IRP_MJ_SET_VOLUME_INFORMATION : 804F3418
23:04:01:859 3008 IRP_MJ_DIRECTORY_CONTROL : 804F3418
23:04:01:859 3008 IRP_MJ_FILE_SYSTEM_CONTROL : 804F3418
23:04:01:859 3008 IRP_MJ_DEVICE_CONTROL : F74C844D
23:04:01:859 3008 IRP_MJ_INTERNAL_DEVICE_CONTROL : F74CBFC3
23:04:01:859 3008 IRP_MJ_SHUTDOWN : F74C8366
23:04:01:859 3008 IRP_MJ_LOCK_CONTROL : 804F3418
23:04:01:859 3008 IRP_MJ_CLEANUP : 804F3418
23:04:01:859 3008 IRP_MJ_CREATE_MAILSLOT : 804F3418
23:04:01:859 3008 IRP_MJ_QUERY_SECURITY : 804F3418
23:04:01:859 3008 IRP_MJ_SET_SECURITY : 804F3418
23:04:01:859 3008 IRP_MJ_POWER : F74C9EF3
23:04:01:859 3008 IRP_MJ_SYSTEM_CONTROL : F74CEA24
23:04:01:859 3008 IRP_MJ_DEVICE_CHANGE : 804F3418
23:04:01:859 3008 IRP_MJ_QUERY_QUOTA : 804F3418
23:04:01:859 3008 IRP_MJ_SET_QUOTA : 804F3418
23:04:01:859 3008 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
23:04:01:859 3008
23:04:01:859 3008 Driver Name: Disk
23:04:01:859 3008 IRP_MJ_CREATE : F74CDC30
23:04:01:859 3008 IRP_MJ_CREATE_NAMED_PIPE : 804F3418
23:04:01:859 3008 IRP_MJ_CLOSE : F74CDC30
23:04:01:859 3008 IRP_MJ_READ : F74C7D9B
23:04:01:859 3008 IRP_MJ_WRITE : F74C7D9B
23:04:01:859 3008 IRP_MJ_QUERY_INFORMATION : 804F3418
23:04:01:859 3008 IRP_MJ_SET_INFORMATION : 804F3418
23:04:01:859 3008 IRP_MJ_QUERY_EA : 804F3418
23:04:01:859 3008 IRP_MJ_SET_EA : 804F3418
23:04:01:859 3008 IRP_MJ_FLUSH_BUFFERS : F74C8366
23:04:01:859 3008 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F3418
23:04:01:859 3008 IRP_MJ_SET_VOLUME_INFORMATION : 804F3418
23:04:01:859 3008 IRP_MJ_DIRECTORY_CONTROL : 804F3418
23:04:01:859 3008 IRP_MJ_FILE_SYSTEM_CONTROL : 804F3418
23:04:01:859 3008 IRP_MJ_DEVICE_CONTROL : F74C844D
23:04:01:859 3008 IRP_MJ_INTERNAL_DEVICE_CONTROL : F74CBFC3
23:04:01:859 3008 IRP_MJ_SHUTDOWN : F74C8366
23:04:01:859 3008 IRP_MJ_LOCK_CONTROL : 804F3418
23:04:01:859 3008 IRP_MJ_CLEANUP : 804F3418
23:04:01:859 3008 IRP_MJ_CREATE_MAILSLOT : 804F3418
23:04:01:859 3008 IRP_MJ_QUERY_SECURITY : 804F3418
23:04:01:859 3008 IRP_MJ_SET_SECURITY : 804F3418
23:04:01:859 3008 IRP_MJ_POWER : F74C9EF3
23:04:01:859 3008 IRP_MJ_SYSTEM_CONTROL : F74CEA24
23:04:01:859 3008 IRP_MJ_DEVICE_CHANGE : 804F3418
23:04:01:859 3008 IRP_MJ_QUERY_QUOTA : 804F3418
23:04:01:859 3008 IRP_MJ_SET_QUOTA : 804F3418
23:04:01:859 3008 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
23:04:01:859 3008
23:04:01:859 3008 Driver Name: atapi
23:04:01:859 3008 IRP_MJ_CREATE : F731A572
23:04:01:859 3008 IRP_MJ_CREATE_NAMED_PIPE : 804F3418
23:04:01:859 3008 IRP_MJ_CLOSE : F731A572
23:04:01:859 3008 IRP_MJ_READ : 804F3418
23:04:01:859 3008 IRP_MJ_WRITE : 804F3418
23:04:01:859 3008 IRP_MJ_QUERY_INFORMATION : 804F3418
23:04:01:859 3008 IRP_MJ_SET_INFORMATION : 804F3418
23:04:01:859 3008 IRP_MJ_QUERY_EA : 804F3418
23:04:01:859 3008 IRP_MJ_SET_EA : 804F3418
23:04:01:859 3008 IRP_MJ_FLUSH_BUFFERS : 804F3418
23:04:01:859 3008 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F3418
23:04:01:859 3008 IRP_MJ_SET_VOLUME_INFORMATION : 804F3418
23:04:01:859 3008 IRP_MJ_DIRECTORY_CONTROL : 804F3418
23:04:01:859 3008 IRP_MJ_FILE_SYSTEM_CONTROL : 804F3418
23:04:01:859 3008 IRP_MJ_DEVICE_CONTROL : F731A592
23:04:01:859 3008 IRP_MJ_INTERNAL_DEVICE_CONTROL : F73167B4
23:04:01:859 3008 IRP_MJ_SHUTDOWN : 804F3418
23:04:01:859 3008 IRP_MJ_LOCK_CONTROL : 804F3418
23:04:01:859 3008 IRP_MJ_CLEANUP : 804F3418
23:04:01:859 3008 IRP_MJ_CREATE_MAILSLOT : 804F3418
23:04:01:859 3008 IRP_MJ_QUERY_SECURITY : 804F3418
23:04:01:859 3008 IRP_MJ_SET_SECURITY : 804F3418
23:04:01:859 3008 IRP_MJ_POWER : F731A5BC
23:04:01:859 3008 IRP_MJ_SYSTEM_CONTROL : F7321164
23:04:01:859 3008 IRP_MJ_DEVICE_CHANGE : 804F3418
23:04:01:859 3008 IRP_MJ_QUERY_QUOTA : 804F3418
23:04:01:859 3008 IRP_MJ_SET_QUOTA : 804F3418
23:04:01:890 3008 C:\WINDOWS\system32\DRIVERS\atapi.sys - Verdict: 1
23:04:01:890 3008
23:04:01:890 3008 Completed
23:04:01:890 3008
23:04:01:890 3008 Results:
23:04:01:890 3008 Memory objects infected / cured / cured on reboot: 0 / 0 / 0
23:04:01:890 3008 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
23:04:01:890 3008 File objects infected / cured / cured on reboot: 0 / 0 / 0
23:04:01:890 3008
23:04:01:890 3008 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system
23:04:01:890 3008 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software
23:04:01:890 3008 KLMD(ARK) unloaded successfully

That log looks ok to me. Norton to heavy on the systems resources? You ran the uninstaller in the add/remove programs panel? there are several free AV you can chose from. I will post back.

I am interested in Viper AV with anti spy and firewall, along with their counter spy program. The best that I can find out is that it has a fairly small footprint on your system memory and still manages to catch 92% of the crap live. I know that free is a price that I really like, but my kids get on my machine and go places that i don't allow. I am interested in what you post. I have several computers that my kids can't touch, business and laptop. neither of which ever goes places that have high risk, but do open a lot of e-mail.

Nothing exists that will catch and remove all malware. A firewall isnt really a soultion for catching malware. A firewall prompt just means its already on your computer. No malware will open its own port but rather just uses a existing connection or launch other Window components. They can also put up very technical messages to answer. Do I allow this or not? Not to dissuade you, if you want a firewall get one.
As far as AV goes-- some free ones. The paid suites have nothing over the free ones. I have never used a paid AV in Windows.

avast (http://www.avast.com/security-software-home-office)
AVG (http://free.avg.com/us-en/homepage)
Avira (http://www.free-av.com/en/products/index.html)
MS Security Essentials (http://www.microsoft.com/Security_Essentials/)
Clamwin (http://www.clamwin.com/)
Clamwin is a on-demand scanner, it does not run in the background offering real time scanning/protection.

These AV also all (i think) include a anti-malware component.
You also have Spybot and Malwarebytes for anti-malware.
Note that malwarebytes must be updated manually and a scan started manually.

So one AV and 2 or 3 anti-malware apps, and possibly a firewall.

A few other solutions you can check into;

Spywareblaster (http://www.javacoolsoftware.com/spywareblaster.html#FAQ)

Use spybots tea timer and immunization feature

Non-Admin Accounts (http://windows.microsoft.com/en-us/windows7/Why-use-a-standard-user-account-instead-of-an-administrator-account)

Hardening Internet Explorer (http://nsslabs.com/general/ie8-hardening-tool.html)

I have never heard of this: sytem Security 1.04. Can you provide a link to the website?
If all is good we can finish up.

Thanks for the tips. I have 5 people that use that computer. Giving them all their own accounts is something that is simple and will help. The main fear that I have is the virus that gets in when I am not aware. I do not like private information getting out, and trojans really are what bother me most. no so much because of the damage, but because of their ability to capture passwords, bank information, ect.

I use a watchdog program that you did not see call win patrol. Anything that gets downloaded, changes start up, or write to the registry I get a notification. This was the first time that a virus was actually attached to that program.

The program system security suite 1.04 is a program to remove internet tracks and junk files from my computer. I delete Cookies, clear Internet Explorer Cache, delete index.dat Files, clear Typed URLs, Windows Temp Folder and much more. I can also specify custom folder locations with file masks, which will be cleaned in addition to my selected items. Also, it allows me to view and optionally remove programs that launch automatically at Windows startup. That is redundant to Spybot, and others, but I found that sometimes stuff that doesn't get on one program, gets on the other. In short, It is more of a privacy tool than a security tool though.

One thing that some people don't like is that you have to re-boot to get a complete clean up. That is how the ini. files get deleted. You can down load it from a number of sites here is one http://www.spychecker.com/program/3s.html

Again Thank You! Thank You! What you guys do for us is outstanding!!!!

your welcome. Its a guess but I think tea timer and win patrol have similar features. Might only want to use one of them, not both.

you can get one more download which will remove combofix and gmer. you can delete TDSSkiller from your desktop:

Please download OTCleanIt and save it to desktop.

http://oldtimer.geekstogo.com/OTC.exe

Double-click OTC.exe.
Click the CleanUp! button.
Select Yes when the "Begin cleanup Process?" prompt appears.
If you are prompted to Reboot during the cleanup, select Yes.
The tool will delete itself once it finishes, if not delete it by yourself.

You can make a new restore point. The how and the why:

One of the features of Windows XP,Vista and Windows7 is the System Restore option, however if malware infects a computer it is possible that the malware could be backed up in the System Restore archive. Therefore, clearing the restore points is a good idea after malware is removed and your computer appears to be functioning ok.

To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

(winXP)

1. Turn off System Restore. (deletes old possibly infected restore point)
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.(creates a new restore points on a clean system)
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK, then reboot

If you use firefox it has a lot of add-ons. like this one. (https://addons.mozilla.org/en-US/firefox/addon/3456#reviews)

If all is good, A few more tips:

10 Tips for Reducing/Preventing Your Risk To Malware:

In no special order

1) It is essential to keep your OS (http://update.microsoft.com/microsoftupdate/v6/default.aspx?ln=en-us),(Windows) browser (IE, FireFox) and other software up to date to "patch" vulnerabilities that could be exploited. Visit Windows Update frequently or use the auto-update feature. Staying updated is also necessary for web based applications like Java, Adobe Flash/Reader, QuickTime etc. Check there version status here. (http://secunia.com/vulnerability_scanning/online/)

2) Know what you are installing to your computer. Alot of software can come bundled with unwanted add-ons, like adware, toolbars and malware. Do not install any files from ads, popups or random links. Do not fall for fake warnings about virus and trojans being found on your computer and you are then prompted to install software to remedy this. See also the signs (http://www.virusvault.us/signs1.html)that you may have malware on your computer.

3) Install and keep updated: one antivirus and two or three anti-malware applications. If not updated they will soon be worthless. If either of these frequently find malware then its time to *review your computer habits*. There is no reason why you can not stay malware free.

4) Refrain from clicking on links or attachments via E-Mail, IM, IRC, Chat Rooms, Blogs or Social Networking Sites, no matter how tempting or legitimate the message may seem.

5) Do not click on ads/pop ups or offers from websites requesting that you need to install software to your computer--*for any reason*. Use the Alt+F4 keys to close the window.

6) Don't click on offers to "scan" your computer. Install ActiveX Objects with care. Do you trust the website to install components?

7) Set up and use limited (non-privileged) accounts for everyday use, rather than administrator accounts. Limited accounts (http://www.microsoft.com/protect/computer/advanced/useraccount.mspx) can help prevent *malware from installing and lessen its potential impact.* This is exactly what user account control (UAC) in Windows Vista and W7 attempts to address.

8) Install and understand the *limitations* of a software firewall. A firewall is not a solution for attempting to control or catch malware sneaking out.

9) A tool (http://nsslabs.com/general/ie8-hardening-tool.html)for automatically hardening and securing Internet Explorer 8.0. Requires site registration for downloading. Changes some of the default settings of IE 8.0, Read the FAQ's.

10) Warez, cracks etc are very popular for carrying all kinds of malware payloads. If you look for these you will encounter malware. If you download/install files via p2p networks, then you are also much more likely to encounter malicious code in a downloaded file. Do you really trust the source of the file? Do you really need another malware source?

happy safe surfing